Keep masking passwords, for now
Recently updated on
I always find Jakob Nielsen's usability columns interesting. I rarely disagree with his mostly common sense approach, however I found myself at odds with a recent Alertbox column, entitled "Stop Password Masking."
In a nutshell, he believes the common practice of displaying dots or asterisks when typing in a password to be unnecessary and a usability problem. He says that it causes users to make more password entry errors since they can not visually verify what is being typed. I agree on both counts.
He says that because password entry errors are more likely, users therefore feel less confident. I disagree.
Password masking is pervasive. It is quite literally everywhere. I can't think of a single instance where a password isn't masked. It is because of this that I believe its absence will be jarring to users. Worse, it might lead a user to actually question the security of a Web site. In essence, the absence of masking would cause users to feel less confident.
He goes on to offer a compromise for scenarios where someone might actually be peering over your shoulder, by offering a checkbox choice to mask the password. I believe this is a poor compromise.
I am quite stingy when it comes to adding fields to a Web form. We did a study last year where we proved the conjecture that fewer fields leads to higher completion rates. Therefore, I strongly advise clients to remove all but the most necessary fields. Adding a checkbox alongside the password field flies in the face of this.
I am a big fan of the books "Don't Make Me Think" and "The Inmates Are Running the Asylum." Each talk about the importance of removing cognitive friction - ambiguities that cause you to stop, think and wonder. I believe the presence of a masking checkbox (and its associated label/description) would add cognitive friction to a form.
I do agree that password masking is a relic of the past and should eventually go away. However, in this case, our best recommendation is to keep masking in place for the time being.
Updated: September 28, 2021 for link rot