Do not ignore the role of ‘user perceptibility’

Jacob Nielsen has certainly created a ‘buzz’ recently in the online world of blogs and forums. The subject – password masking should be stopped.

He outlined his case in the article ‘Stop password masking’ (June 2009) in his recent bi-weekly column (Alertbox). Password masking is typically used for login screens and login dialog boxes. This is where the password is hidden using an asterisk symbol to mask or echo the characters being entered.

Nielson believes that password masking is counter intuitive to best usability practice and that it contravenes the usability principle of providing suitable feedback at all times so that the system status is apparent.

He argues that it is time to abandon this design legacy which has only become an entrenched convention because was ‘easy to do’ and ‘the default in the Web’s early days’. In addition, and contrary to popular opinion, he believes that password masking does not help to increase online security and can cause users to abandon a site. He cites password masking on mobile devices as particularly problematic for users as typing can difficult leading to lots of typos. To summarise in his words:

“Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but does cost you business due to login failures.’”

In other words, human beings are frequently sneaky little creatures who commonly employ creative behaviours when dealing with password requirements, which often undermine online security, and so make masking an irrelevance. The most common behaviours quoted are simplifying passwords and using copy and paste to enter passwords from files stored on users’ computers.

He states that businesses are loosing customers because users are having problems logging in to sites so they leave, never to return, or businesses have extra costs due to increased calls to call centres. In his opinion:

‘”… users will appreciate getting clear-text feedback as they enter passwords. Your business will increase, and security will even improve a tiny bit as well.’”

Interestingly, Bruce Schneider, a well respected online security guru, concurs with Nielson and argues that clear text passwords would reduce errors and that any risk of ‘shoulder surfing’ (getting password details by snooping on someone as they type) would be de facto low.

Nielson’s solution to the problem of ‘shoulder surfing’ is to have a check box allowing users to choose whether they want to mask their passwords as they enter them. For high risk online applications, such as bank accounts, he suggests that this check box should be ticked by default.

The response to Nielson’s arguments concerning password masking has been both swift and passionate. To date, about 171 people have left comments on Bruce Schneider’s blog about this issue; most disagree with both his and Nielson’s point of view. A quick Google search and surf of well known blogs also show that most commentators oppose the breaking of this convention. The arguments against stopping the use of password masking generally fall into three camps.

1. It’s too late: Some comment that password masking is now embedded into the very technology on which the internet is founded, for example, website and compliance/security requirements, browser rendering of the HTML of a web pages (the code can decide how masking is presented), common use of Password Managers in I.E. and Firefox etc. So to stop this practice would be very difficult.

2. It will put us at risk: Others commentaries take a more personal view and quote situations where password masking is considered a must due to the inherent danger and dire consequences of ‘shoulder surfing’ e.g. when using internet cafes, working in open plan offices, when using a friend’s computer etc. This camp advocates no change to the status quo.

3. No worries, there are ways around this: The various solutions put forward to answer this problem offer a pragmatic approach. These include putting Nielson’s checkbox idea to the test (in front of real users), using the iPhone method of making the last typed character visible for a short time before it is converted into a bullet (hopefully this will prompt the user’s memory), utilising new technology such as finger prints or ‘pattern locks’ etc.

In my opinion, Neilson and his supporters have completely missed the point. This is not an issue of usability but ‘user perceptibility’. Nielson has forgotten that human beings are not only creative creatures but emotional ones too. Consequently, users can have an emotional reaction about the online world as much as they can in the real world. And just as the real world landscape has myths which feed users’ emotions, so does the online world. Equating password masking with better online security may be a myth, but it is out there and is generally believed.

Frequently, as part of my job role, I test low fidelity prototypes with users, often the password masking is a missing function when a login process is part of the test. Guaranteed without fail, many participants will comment as they ‘login’, ‘It’s not going to be like that on the real site is it – that’s not very secure is it?’

The reason users like or expect password masking is simple – if they feel that if they have to jump through hoops to access their accounts, then by default this experience will be mirrored for those who are unauthorised, namely hackers. Users correlate password masking as a necessary evil which helps support high levels of online security. Of course, this is not always the case, Malware or key logging software can be used to access many online accounts. But the urban online myth is out there, it will be very hard to convenience users that unmasking passwords would not lower online security standards.

Inevitably, as technology moves on, passwords as a security feature will be replaced. However, until we all live in a ‘Minority Report’ world where iris scans of the eye are common place (but even the hero of the piece found a way around this one!), the login process is probably here to stay for the immediate future. Therefore, as part of the overall online customer experience ‘user perceptibility’ can play an important role and should not be ignored. It would be a very brave online provider or retailer indeed that broke this much treasured tradition on their website. I suggest that any provider which removes this feature would immediately see the opposite effect as put forward by Nielson, registrations on their sites would decline not increase.