I’ve just read an article arguing that password masking isn’t worth the effort, even detrimental. I’m not sure where I stand on this, so let’s work through it together.
——————————————————————————————————————-
“Jakob Nielsen, Ph.D., is a User Advocate and principal of the Nielsen Norman Group which he co-founded with Dr. Donald A. Norman (former VP of research at Apple Computer). Before starting NNG in 1998 he was a Sun Microsystems Distinguished Engineer.Dr. Nielsen founded the “discount usability engineering” movement for fast and cheap improvements of user interfaces and has invented several usability methods, including heuristic evaluation. He holds 79 United States patents, mainly on ways of making the Internet easier to use.”
As you can see by Dr. Nielsen’s accreditation, his mentioning that using password masking is a bad idea isn’t something to be taken lightly.
Why mask passwords?
Until I read the article, I considered masking passwords to be a no-brainer for the following reasons:
- Masking passwords were the logical outcome of being concerned about people stealing passwords by visually observing the password being entered.
- Auto-complete is a bad idea period, but masking helps prevent someone from seeing previous passwords that have the same first few characters. This is of special concern when the computer has multiple users.
- Masking passwords is required by some regulatory bodies in order to gain their approval. Also a company’s security policy may require masking any time a password is entered.
Through his research, Nielsen has come to the conclusion that using nondescript bullets to cover up password characters violates an important usability principle, that of providing sensory feedback. To back up his claim, Nielsen provides some additional detail:
- Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business.
- The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.
I didn’t see any reference to studies verifying either of the above theories, still both appear to have merit.
Using portable devices
I do agree with Nielsen about how masking passwords on mobile devices is a real pain. As proof, I know associates that do exactly as Nielsen mentioned above. They dumb-down the password just so it’s easy to enter. Not a smart thing to do when visiting important Web sites such as a banking portal.
Another viewpoint
Jason Montgomery, a security expert with SANS presented a different viewpoint in this blog post. As a security aficionado, I was interested in his reply to something Nielsen had written. I quoted it earlier, so here’s a recap of the part being referred to:
“Typically, masking passwords doesn’t even increase security, but it does cost you business due to log in failures.”
“Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they’re using an Internet cafe. It’s therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there’s a tension between security and usability, sometimes security should win.”
Sounds like it might work, what do you think? Does it cover all possibilities? When do we know if we’re safe enough to lower security standards for increased usability?
No comments:
Post a Comment