password maskingNoted usability expert Jakob Nielsen has recently written a post on the need of doing away with the process of masking password text, while filling out forms on websites and applications. He thinks that masking passwords is a big headache for the users and does not accrue commensurate benefits as far as the security is concerned.

But I prefer to maintain a few points against the logic. I still feel butterflies in my stomach, when I am forced to enter password in a field, which directly shows the masked password text. The practice of masking passwords is continuing for so long that I am now habitual of it and it does not bothers me at all, while I am entering my password in a field, which is masking its visibility.

He tries to establish that…

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.

Nielson argues that

  • Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident and results in people ultimately giving up the use of your websites.
  • The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords thus compromising with their security.

But, in my case, situation is different. There are many cases, when a colleague or friend is sitting besides me and I have to enter my password. I can enter my passwords, with a quick flip of fingers and it is often difficult to guess the password from the movement of fingers. If you show the passwords on the screen, then any onlooker can see it. The possibility knowing you passwords by looking at it over your shoulder is much more than guessing it by looking at the movement of your fingers.

I would prefer to let the website mask my password and let me make the mistakes. In case, I feel I have committed a mistake while typing the password, I would prefer to delete everything there and retype it again, then to ask the website to show my masked password.

Jakob further suggests that websites can offer the users a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. But I would prefer to have a check box, which will show my masked passwords, when checked. I would feel a lot discomfort checking it in front of my password. It is like slapping that fellow in face and saying… LEAVE OFF, I do not trust you and so I am masking my passwords.

An example of what I am taking is there in the Wireless Network Properties Dialog Box of my Vista.

show masked passwords

What do you think?