Jakob Nielsen's Alertbox, June 23, 2009:

Stop Password Masking

Summary:
Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.

It's time to show most passwords in clear text as users type them. Providing feedback and visualizing the system's status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users' shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers.

More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

The Costs of Masking

Password masking has proven to be a particularly nasty usability problem in our testing of mobile devices, where typing is difficult and typos are common. But the problem exists for desktop users as well.

When you make it hard for users to enter passwords you create two problems — one of which actually lowers security:

• Users make more errors when they can't see what they're typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)
• The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet cafe. It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win.

In most cases, however, users will appreciate getting clear-text feedback as they enter passwords. Your business will increase, and security will even improve a tiny bit as well.

Abandon Legacy Design

Password masking has become common for no reasons other than (a) it's easy to do, and (b) it was the default in the Web's early days. In this respect, it's similar to another usability problem — having Reset buttons on forms, which is also something that should die.

Generally, I recommend adhering to conventions. Do what users expect, and they can concentrate their brainpower on understanding your products and offers instead of struggling with the user interface.

But password masking and Reset buttons are not something users actively seek out. Losing these features won't cause confusion, nor will their replacements: the new features will simply be clear text (in the first case) and a blank area where the destroy-my-work button used to be (in the second).

This is very different from removing something users look for or introducing something they don't understand.

Let's clean up the Web's cobwebs and remove stuff that's there only because it's always been there.