Is Jakob Missing Something About Form Security?

I am a subscriber to Jakob Nielsen’s site, a popular web usability expert. Today he sent out an email with his findings that suggest we should stop using password masking on forms. I usually would agree with his findings, and many of the polls I run come to similar conclusions. In this particular case though, I think his case studies don’t reflect a real world experience, and missed an important point.

Jakob’s Reasoning Why We Should Stop Using Password Masking

Putting security aside for a minute his main argument is that users make more errors and feel less confident when the form field is masked. This leads a user to using shorter passwords or copying and pasting. I believe his argument is poor at best.

If password length is an issue, then simply make it so the password field requires a larger number of characters. In regards to users copying and pasting their password, this behavior will always continue regardless of whether or not the password field is masked.

So at best, I believe is his argument is valid if you feel your are losing users because they get lost typing long passwords into a masked field. Maybe another quick fix to this is to make sure you have an easy method for users to get their password emailed to them. Maybe something like “Lost Your Password?” link.

His Case Study Does Not Reflect Real Life

My biggest problem with his recent article is his belief that it will not hurt security by not masking. His sample argument is that a snoopy person sitting over your shoulder doesn’t have to watch the screen what you type, they will just watch where you hit the keys.  Here is a quote from his site that makes me cringe.

More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

Must be nice to have a cozy office to yourself.  Here is a blast to that comment from my real life experience. If you are like myself or many others, you use your browsers feature to memorize your users names and  passwords. It makes for easy logging in. Assuming you are someone like myself, a quick visit your a favorite login page will reveal your password in a masked form. Meaning you can’t read it. It’s masked to protect your security.

It is not masked to protect the snoop from looking over my shoulder like Jakob suggests, though it could. It is masked to protect me from the snoop that looks at my computer when I am not there. If you were to walk away from your desk after clicking on a login page (had to go to bathroom quick!) that does not mask passwords, your password will be compromised by anyone taking a peek at your computer. Think your boss has ever been to your desk when you are not there? I hope it’s just your boss, and they are nice to you.

Even if your browser does not memorize passwords the problem could still take place because you may have just typed in the password without hitting submit before leaving your desk.

Peace of Mind

Another argument I think Jakob missed all together is what about the users who feel that a site is not secure because they don’t mask the password field. You may be losing a few because it’s too hard to remember their password, but how many do you stand to lose because they feel your site is not secure. Would you use a banking site that does not mask the password field? I would hope they would take every security measure possible.

Don’t Stop Password Masking

Hoping all of you webmasters will not jump on Jakob’s adivice, and continue using the password mask feature for your forms. It’s what users expect (an argument also mentioned on Jakob’s article), it will maintain security, and it will at least maintain the peace of mind for some.