I was poking around the internet when I stumbled upon a reference to a year-old blog posting by Jakob Nielsen. The referring person was a UX professional who asked,
“Have you seen what Jakob Nielsen suggests about masking passwords: http://www.useit.com/alertbox/passwords.html. I think he’s gone cuckoo.”
Upon reading that provocative accusation, I had to follow the link to see just how crazy old Jakob had become.
But Jakob’s brief, clear post was relevant, correct and well-reasoned. He instructed us to stop masking password entry fields. It was the UX professional who had “gone cuckoo.”
Showing bullets instead of the actual characters of your password to obscure it from onlookers is one of those interface idioms that have been around forever. Unfortunately, its age is the only possible reason for its continued existence. Its effect is the opposite of its intent to enhance security.
One of my design axioms is, “Design for the probable; provide for the possible.” It is possible that some nefarious person with both the means and motive to steal your identity is just awaiting the opportunity to peer over your shoulder and memorize your 8-character, mixed-case, partially numeric, non-mnemonic password. However, it is far, far more probable that you are alone, or where nobody can clearly see your mobile’s screen, or in a pub surrounded by friends with whom you have shared far more than just access to your Amazon account.
What’s more, because the characters are obscured, it is far, far more probable that you will hesitate halfway through typing your password and lose your confidence that you have typed correctly. This forces you into taking the extra step of erasing and retyping. In other words, the extra thought and work is frequently necessitated but rarely useful. Instead, a simple option to turn on masking, pushed the extra work onto the rare—but possible—case when one is surfing the internet in a hostile environment.
Password masking undoubtedly originated when some clever programmer put it in a program to show off. I can hear him now, bragging to his colleagues, “Somebody might need to enter his password in a hostile environment”. Whenever you hear that telltale phrase, “Somebody might…” you are about to be covered in interface slime.
“Panic” buttons on automobile remote entry keyfobs is an identical problem. I suppose it is theoretically possible to imagine a case when someone would want to intentionally set off their car alarm, but I have never heard even a whisper of a real situation. But what is far more probable is what happened to me just the other night. I was watching TV and accidentally dropped the remote. Upon bending to pick it up, something in my pants pocket pressed against my keyfob, and my car’s alarm went off. Everybody in the neighborhood heard the blasting horn while I fumbled to shut it off.
I guarantee that some automotive engineer a decade ago, working on the new remote keyless entry system, had a brainstorm about a rare possibility. “Somebody might want to set the alarm off intentionally” he said to himself, and created the Panic button. The marketing department loved the idea because it seemed they could offer a new feature at no additional cost.
Sadly, there is additional cost, one not measured in money, but in the lowered quality of experience. I would gladly pay to have that evil Panic button removed from my keyfob, yet every new car still comes with one, simply because it has always been there, and that’s a terrible rationale.
Jakob Nielsen pleads with us to “clean up the cobwebs and remove stuff that’s there only because it’s always been there.” I think it’s cuckoo not to.