Design & UX
Article
By Jessica Enders

Masking Passwords: Help or Hindrance?

By Jessica Enders

Illustration: Blindfolded person trying to find the correct key to enter a door. - By Alex Walker

Sometimes the details make all the difference.

Typing your phone number into an online form and being told "no spaces allowed" is infuriating. It's a tiny part of the overall user experience, but it can totally change the feeling from seamless to clunky.

Password masking is another such detail. Password masking is that familiar practice of hiding the password characters – as entered by the user – behind bullets (●), asterisks (*), or similar camouflaging characters.

A typical masked password field using bullets

The idea behind masking is to prevent nearby observers reading the password "over the user's shoulder" and thus stolen. But there are a few significant disadvantages that may outweigh this primary advantage.

--ADVERTISEMENT--

Problems with password masking

Masking the password also hides it from the user

In our attempts to maximise security, too often we severely compromise usability. There's not much point in building a secure system if that security drives people away from using it!

Password masking is one of those examples where the by-product of security is a poorer user experience. By masking the password to protect against the vanishingly small chance a criminal is not only in the room, but no more than a few metres behind you, we’re impairing every legitimate user. This means users can't:

  • see whether they've typed the right thing; or
  • easily correct their password if they get an error.

In turn this will mean a longer and more frustrating user experience. And these difficulties may lead users to choose far less secure – but easier to type – passwords, which poses a much more significant security risk.

"Over the shoulder" attacks aren't as common as we may think

Bruce Schneier, world renown security specialist, says it best in his post The Pros and Cons of Password Masking:

I believe that shoulder surfing isn't nearly the problem it's made out to be. One, lots of people use their computers in private, with no one looking over their shoulders. Two, personal handheld devices are used very close to the body, making shoulder surfing all that much harder. Three, it's hard to quickly and accurately memorize a random non-alphanumeric string that flashes on the screen for a second or so.

This is not to say that shoulder surfing isn't a threat. It is. And, as many readers pointed out, password masking is one of the reasons it isn't more of a threat. And the threat is greater for those who are not fluent computer users: slow typists and people who are likely to choose bad passwords. But I believe that the risks are overstated.

The password is still vulnerable to keylogging and malware

Unfortunately, visual masking gives the sense of more security than there actually is. While it can't be seen, it can still be easily stolen by malware installed on the user's device, or by a criminal using keylogging technology (which doesn't need to be installed on the device, or even in visual proximity).

The design of some mobile operating systems eliminates some benefits of masking

When entering a password on some mobiles, each character is visible in the password field for a few seconds or until the next character is entered, whichever comes first. This means the mask is only partially applied, undermining security.

Animation: Woolies login in action

Balancing security and usability

The great news is there's a way to maintain the security benefits of masking while improving the user experience: mask passwords by default but provide users with the ability to turn the masking off.

Firefox change password dialog

Google account login

Paypal account login

This approach:

  • provides the most security by default, including against "over the shoulder" attacks;
  • gives users the control over their own interaction (control being an important cornerstone in usability);
  • means the interface is initially familiar to users, rather than the potential shock of presenting the password in the open (a study by Jack Holmes found 60% of users became suspicious of the site if password was unmasked by default);
  • allows the user to see the password while typing or afterwards; and
  • can work with any device or operating system.

The best implementation will use the words "show" and "hide", rather than iconography that may not be intuitive. Because the user is initiating an action, ideally the "show" and "hide" will be buttons (rather than a checkbox whose label changes).

Example 4

"Show password" toggle: proven results

The aforementioned study by Jack Holmes, and others, demonstrate the "show password" approach works with users. User quotes from Jack's study include:

The fact that it is there gives me the chance to check what I have typed. It is helping me in my inability to do something simple.

and

It is protecting me against somebody looking over my shoulder. It gives me a feeling that there is some form of protection in place.

Unpublished research conducted by the Victorian Department of Justice and Regulation – with whom I have worked – also validates the "show password" approach.

So I think the time is right to start adopting this as a matter of convention. What do you think?

  • I’ve been training my 10yo daughter to use Lastpass to try to eliminate the temptation to use short passwords to avoid mistakes. But I think we have to move beyond passwords as first line of defense. The contest of brute force computing power versus our own password imagination/memory is getting away from us further each day.

    I think ideas like SQRL should get more momentum over the next year or so – http://sqrl.pl/blog/

    • Formulate

      I totally agree. There are so many problems with passwords as a security mechanism. It’ll just be a question of when and how the next best solution comes along.

  • It should be noted that by because the masked password input field has been the norm for such a long time, that to disable it by default would likely leave users feeling as if your site is less than secure. With this context in mind, it’s another argument for why a show/hide password feature is probably the best way to avoid UX frustrations, while also keeping users confident in your site’s security.

    • Yup. If all of a sudden people were typing in passwords and they were showing up, they would probably freak out. I like the show/hide also for this and have been thinking about implementing it in an application or two and tracking the clicks on show password, just to see how they use it.

      • Formulate

        Jack Holmes’ study confirmed that a significant portion of people do get freaked out by seeing a password unmasked by default.

  • omnichad

    So that’s what that symbol is on the Google sign-in? Every time i see it, I check my caps lock.

  • bcre8ve2

    While I have considered using a toggle link to show/hide the password (thus giving control to the user) I have decided against it.

    Although not best practice, too many users utilize browsers’ “Remember Password” functions. Such a toggle would give a malicious person who has access to your computer, even for a short time, the ability to not only log into a specific site using that open computer but also the ability to reveal a password to be used at a later time.

    Yes, I realize in this scenario there are several mistakes made by the user. But we are fooling ourselves as designers/developers if we do not recognize that our users behave all too often in this manner.

    I also realize that with even a small amount of knowledge of debugging in a browser anyone can reveal the password but why give them a tool to do it?

    • Formulate

      Interesting angle.

      I agree we need to be realistic about user behaviour. Personally I think choosing not to provide a “show password” option because of this risk is again coming down too far on the side of mitigating a very low risk rather than making a high traffic experience easier for legitimate users.

      • bcre8ve2

        Yes. I don’t really have strong feelings about it either way. Working with financial institutions, though I do have to make things a little more stringent than other sites may need.

        I will confess that as a user I do enjoy the option to toggle the text – especially when I am on my 3rd of 3 tries to get it right [8^)

        A “Caps Lock is On” warning is definitely a good practice.

        • Formulate

          Warning people that “caps lock is on” is so helpful! Thanks for mentioning.

    • OsakaWebbie

      Even if intruders have physical access, they need to guess sites one by one that the user has saved passwords for. I doubt that’s what the intruder would do, when he can get all the saved passwords at once by quickly going to the browser’s options area (e.g. in FF, Options/Security/Saved Passwords/Show Passwords). So I don’t think the Show Password button matters much for that kind of risk – we need to protect overall access to our computers!

  • Ralph Mason

    Nice article! I couldn’t help thinking that people being able to peer over your shoulder to see your unmasked password is only half the problem, as I’m just as uncomfortable about them being able to see the keys I’m pressing to fill it in—whether on a desktop keyboard or on mobile.

    • Formulate

      Indeed. Masking doesn’t protect you against that.

  • Considering the risks of the “over the shoulder problem” you miss out one important point completely, I think:

    I am very often working with another person at the same computer, or with even more in a room with my computer connected to a beamer. Password masking enables me to login to services/sites without having to switch my screen before.

    • Formulate

      You’re right Paul. But the “Show password” approach would still work just fine in those circumstances.

      • Sure, I like this approach. I just wanted to add this to the discussion, as it does not appear in the risks above.

        • Formulate

          Yes, I’m very glad you added it, for that reason!

  • Brandon L

    For the conspiracy theorists out there, you’re doomed no matter what. Surveillance cameras with “CSI zoom” capabilities will catch you every time you want to view your password. But even without that the NSA will track it at the CPU level or as it transmits across the wires. We have no expectation of privacy. LOL

    • If you take your front door as an example, nothing will ever stop an even mildly motivated person from getting through it. A standard crowbar and some grunt will do it. Nevertheless, most of us are happy that our front door does the job.

      However we found out that our front door was pickable by anyone with a 10c piece, we’d be right to be concerned.

      Likewise, if you are targetted by a motivated, sophisticated attacker – government or otherwise – they will very likely get through your security.

      You just don’t want a situation when almost any unskilled person with a computer and an IP scanner can find and access your accounts. Driving users towards choosing shorter and/or multi-use passwords makes that scenario much more likely.

  • Ansel Taft

    Why not blur the password? Give it enough fuzz to mask it, especially if viewed from feet away, but soft enough that a user’s eyes will pick up and be able to recognize the pattern of what their password looks like with a bit of blur. Over time our mind will be able to spot the difference.

    • Interesting idea to test, @anseltaft:disqus

  • Martin Gruhn

    I can’t believe showing passwords became commonplace even on huge sites like ebay or facebook.

    This is the most dangerous insecurity feature I have ever seen. Someone steals my phone, logs out of facebook and ebay and now has my passwords as they are saved in the browser.

    Sure, as I am probably logged in, they can misuse my ebay and facebook accounts anyway . But in my case (and more so in the case of others) they now have the passwords for other sites as well because nobody keeps different passwords for all their logins. Even if so, the passwords the thief has may be a good hint to guess other passwords.

    My important passwords are indeed completely different, but how many people use the same for ebay and their online banking or at least PayPal?

Recommended
Sponsors
Get the latest in Design, once a week, for free.