Industry Bits
Bytes from System iNEWS editors
July 6, 2009
Clear-Text Passwords on Web Forms: Is there a happy medium between security and usability?
Web usability guru Jakob Nielsen's June 23 Alertbox article advocates stopping the use of masked passwords on websites: Masked passwords are when you type in a password and whatever you type is replaced by a row of bullets or asterisks.
I agree with Nielsen's assertion that most of the time when we're typing in passwords, we're sitting alone in our offices anyway. Who's lurking over our shoulders to watch? It would be a great leap forward in usability to be able to see the password as we type it and would probably encourage people to choose longer, stronger passwords, as Nielsen mentions. Of course, I'm assuming that Nielson is referring to clear-texting only the actual typing in of the password. Certainly, the password needs to be encrypted during transfer between the browser and the web server.
Over the weekend, I was at a bookstore and found a book that I wanted to put on hold at my local library rather than purchase it. My husband handed me his iPhone and I surfed to our library website, found the book in the online catalog, and proceeded to place a hold. To place a hold, the library website requires you to enter your last name and, as the "password," your 14-digit library card number. As I fumbled with the iPhone's "touch" keyboard to type in 14 digits, I recalled Nielsen's article, and thought, "Good point!" The iPhone offers the best of both worlds, in a way, because--for just a moment--it does show the actual character that you typed in the password field before it turns into a bullet. However, I was so busy hunting and pecking the numbers that I didn't even notice that handy feature until my husband pointed it out to me and I took my gaze off the keyboard to look at the password field. Even so, I mistyped the password the first time. It took two laborious tries to get it right.
So we have two possibilities for a happy medium when it comes to the question of making password fields more friendly: the momentary display of the actual character typed (such as the iPhone and possibly other devices offer), and Nielsen's suggestion: "Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet cafe. It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win."
Anyway, just something to think about as you design web pages for your company. Who's going to be the first to make the password field clear text? I wonder how many users will initially freak out and abandon the form, thinking, "Something isn't right here!" How's that for usability? ;-)
—Linda Harty, executive editor & availability/security/networking/connectivity editor
Posted by lharty at July 6, 2009 1:41 PM
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
Blog Policy
We welcome your comments and opinions and encourage lively debate on the issues. However, Penton Media reserves the right to delete or move any content that it may determine, in its sole discretion, violates or may violate its Terms of Use or is otherwise unacceptable. For more information, see Penton Media's Terms of Use.