Thursday, June 25, 2009

Jakob Nielsen says "Stop Password Masking"

Usability advocate Jakob Neilsen's latest Alertbox recommends that you "Stop Password Masking" when creating systems that require passwords.

The Summary:

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.

Jakob's stuff is always food for thought, and it's hard to argue with his points about feedback, but in an education or library environment I can't imagine it would be a good thing. Simple situations, like showing a web application in a training room would be like broadcasting your login details without some fancy dataprojector footwork, especially in our environment where we are the antithesis of single sign on.

He suggests that for situations like the one above there be a checkbox offering to mask the password, which I think would decrease usability with clutter.

His call to abandon legacy design is, to me, a case of carefully chosen words to slant meaning. If he had of said abandon convention it would have been much less convincing. Masked passwords aren't just a web thing, ATMs and EFTPOS use them, as have computers since before ARPANET.

We do have students who get their passwords wrong, and with increasingly stringent rules about passwords containg upper and lower case, punctuation, numeric characters, this isn't going to get better unless we change our whole approach to authentication.

One option is card readers with PINs. Many government departments use this method (one I know of allows staff to travel to any other office in the country, place their card in the reader of any computer, enter their PIN and they get their Window profile AND their phone number.

If banks (and customers) think the Card/PIN method is secure enough for financial transactions that suggests it's secure enough for our needs.