Masking Passwords: Help or Hindrance?
Sometimes the details make all the difference.
Typing your phone number into an online form and being told "no spaces allowed" is infuriating. It's a tiny part of the overall user experience, but it can totally change the feeling from seamless to clunky.
Password masking is another such detail. Password masking is that familiar practice of hiding the password characters – as entered by the user – behind bullets (●), asterisks (*), or similar camouflaging characters.
The idea behind masking is to prevent nearby observers reading the password "over the user's shoulder" and thus stolen. But there are a few significant disadvantages that may outweigh this primary advantage.
Problems with password masking
Masking the password also hides it from the user
In our attempts to maximise security, too often we severely compromise usability. There's not much point in building a secure system if that security drives people away from using it!
Password masking is one of those examples where the by-product of security is a poorer user experience. By masking the password to protect against the vanishingly small chance a criminal is not only in the room, but no more than a few metres behind you, we’re impairing every legitimate user. This means users can't:
- see whether they've typed the right thing; or
- easily correct their password if they get an error.
In turn this will mean a longer and more frustrating user experience. And these difficulties may lead users to choose far less secure – but easier to type – passwords, which poses a much more significant security risk.
"Over the shoulder" attacks aren't as common as we may think
Bruce Schneier, world renown security specialist, says it best in his post The Pros and Cons of Password Masking:
I believe that shoulder surfing isn't nearly the problem it's made out to be. One, lots of people use their computers in private, with no one looking over their shoulders. Two, personal handheld devices are used very close to the body, making shoulder surfing all that much harder. Three, it's hard to quickly and accurately memorize a random non-alphanumeric string that flashes on the screen for a second or so.
This is not to say that shoulder surfing isn't a threat. It is. And, as many readers pointed out, password masking is one of the reasons it isn't more of a threat. And the threat is greater for those who are not fluent computer users: slow typists and people who are likely to choose bad passwords. But I believe that the risks are overstated.
The password is still vulnerable to keylogging and malware
Unfortunately, visual masking gives the sense of more security than there actually is. While it can't be seen, it can still be easily stolen by malware installed on the user's device, or by a criminal using keylogging technology (which doesn't need to be installed on the device, or even in visual proximity).
The design of some mobile operating systems eliminates some benefits of masking
When entering a password on some mobiles, each character is visible in the password field for a few seconds or until the next character is entered, whichever comes first. This means the mask is only partially applied, undermining security.
Balancing security and usability
The great news is there's a way to maintain the security benefits of masking while improving the user experience: mask passwords by default but provide users with the ability to turn the masking off.
- provides the most security by default, including against "over the shoulder" attacks;
- gives users the control over their own interaction (control being an important cornerstone in usability);
- means the interface is initially familiar to users, rather than the potential shock of presenting the password in the open (a study by Jack Holmes found 60% of users became suspicious of the site if password was unmasked by default);
- allows the user to see the password while typing or afterwards; and
- can work with any device or operating system.
The best implementation will use the words "show" and "hide", rather than iconography that may not be intuitive. Because the user is initiating an action, ideally the "show" and "hide" will be buttons (rather than a checkbox whose label changes).
"Show password" toggle: proven results
The fact that it is there gives me the chance to check what I have typed. It is helping me in my inability to do something simple.
It is protecting me against somebody looking over my shoulder. It gives me a feeling that there is some form of protection in place.
Unpublished research conducted by the Victorian Department of Justice and Regulation – with whom I have worked – also validates the "show password" approach.
So I think the time is right to start adopting this as a matter of convention. What do you think?