Passwords have barely evolved since the early days of computing and are taken for granted in our daily online-lives. It’s time for change, says usability expert Jakob Nielsen, who believes password masking goes against basic usability principles and should be stopped (via Kottke).
Providing feedback and visualizing the system’s status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.
Most websites [â€¦] mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. [However], there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.
Nielsen suggests that password fields should be plaintext by default, with a checkbox available for when a user would like to turn masking on. Ignoring the usability issue of adding a new and unexpected item to a form, and ignoring the social ramifications of such a change (explicitly displaying lack of trust by turning masking on around friends), do lengthy, supposedly ‘strong’ passwords increase online security anyway? (pdf, via Schneier)
Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a “three strikes” type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat.