While it may be a common security feature, masking passwords as users type them in may be causing login problems and lost business for websites, according to Jakob Nielsen.

Nielsen also argues that this isn't even necessary as a security feature, since users aren't normally overlooked when typing in passwords, while a determined snooper can simply watch your keystrokes anyway. I have my doubts though...


The drawbacks of password masking as outlined by Nielsen are:

Greater risk of user errors: without the visual feedback of seeing the characters on the screen as they type, users are more likely to make data-entry mistakes which could leave to them giving up altogether and leaving the site, thus leading to lost sales. 

Making users choose simple passwords: Nielsen suggests that users are more likely to choose easy to guess and therefore less secure passwords, or copy and paste from a file on their computer, leading to a loss of security.

I agree that there is a risk in terms of lost sales from users forgetting or incorrectly typing passwords in, but I imagine most people would at least try to enter the password again with more care, and most will probably succeed. If they don't, that's what password reset options are for.

Most of the risk of lost business from passwords comes from the fact that web users now have so many passwords for different sites and services that they are liable to forget them from time to time.

This is more of an argument for doing away with compulsory registration on e-commerce sites, as forgotten passwords and the consequent user frustration can have an effect on abandonment rates.

He also recommends providing a checkbox to give users the option of password masking when they are in a more public for instance, though I'm not sure it's wise to clutter up web forms with extra checkboxes.

Many people are using computers in crowded office, on trains, internet cafes etc, and since masking is the convention, they will be expecting and their passwords to be concealed. If errors in password entry are an issue, then displaying the character typed briefly before masking it, as on the iPhone, may be a much better option.

On this occasion, Nielsen's argument seems a little weak to me, and since there are no user testing or other stats to back these points up, I remain sceptical.

Graham Charlton

Published 25 June, 2009 by Graham Charlton

Graham Charlton is the former Editor-in-Chief at Econsultancy. Follow him on Twitter or connect via Linkedin or Google+

2565 more posts from this author

You might be interested in

Comments (8)

Save or Cancel
Colin Watson

Colin Watson, Director at Watson Hall Ltd

I agree with you Graham, this is poor general advice.  There will certainly be times when allowing a user to see what they are typing could be an allowable risk, but it's still a risk.  One way is to allow the riskier behaviour on a limited set of IP addresses (such as on an internal network or on a safe home computer), but this is difficult without static IP addresses.

Removing the requirement to log in, as you mention, is a much better way, saving authentication for access to more sensitive information.

Allowing the use of pass phrases (sentences with spaces) can allow much more complex, but easier to remember, login credentials.  There are also many other important issues with the design of login (authentication) and access control (authorisation) which are often designed inadequately, such as local caching, failure to use SSL (https...), having remember-me functionality, weak password reset/recovery or change password mechanisms.

But it comes down to the value of the information and the risks perceived by the user and the website owner.  Generalisms about "legacy design" don't apply here.

about 9 years ago



What a great article.... keep up the very good work.

about 9 years ago



It's all a matter of managing risk. Some applications and web sites now give the user the choice to reveal the password or hide it. Give me a choice and let me manage my own risk. I'm all grown up now and am responsible for my own security.

about 9 years ago

David Iwanow

David Iwanow, SEO Product Manager at Marktplaats.nl

Great point, if someone wants to get your passwords they can use keystroke loggers so the only person that has your password is them.  There is also concerns with older browser software, so make sure you update your browser to the latest version.

Masking user passwords is annoying because often your browser remembers the password but if you need to use another PC it can cause issues as you cant just write it down.

There are open source password desktop and online portals for your password but these are often overkill for many people, but my advice is look into one they are a stress free way to remember login urls, usernames and passwords.  They often have the ability to generate various types of password suitable for all uses.

So dont be lazy and use easy passwords, it is easy to have a different password for each blog/email/website that you visit if you want.  Use either an iPhone application to generate them and a quality password software safe and it will make your online experience more enjoyable.

The Lost Press

about 9 years ago


Mark Crowley

I agree Graham.

My Nokia E51 also has the iPhone-like feature of briefly showing the typed character before masking it - the ideal solution in my opinion.

One other reason for keeping masking is that many people save passwords in their browsers (I do in Firefox, with password protection of the list). For those who use the same password on many sites, it would be a security risk for a password to be displayed on a login form to a non-critical site that could also be used on a secure site.

about 9 years ago


Craig Sullivan, Customer Experience Manager at Belron International


The security issue is moot since many sites now either offer 'remember me' by default.  Try visiting your friends house, look at their history file and see how easy it is to add items to their baskets and checkout on these sites!

Much better to reduce the need for authentication except when dealing with changing or activating secure information (email, login, payment etc.).  Amazon do this well, only requiring me to log in when I checkout, for example.

If you look at the layered solutions that banks use, there are often nested levels of security for different actions.

I don't think showing passwords is a good idea btw and so disagree with Nielsen - it may not be perfect usability but trust and security are parts of the equation too.  I'd have less trust in a site if my password was in the clear on-screen.

Increasing conversion often means balancing a number of often conflicting desires and this issue is a good example.


about 9 years ago

Colin Watson

Colin Watson, Director at Watson Hall Ltd

Graham - I totally agree with all your points.

"Remember me" adds all kinds of dangers and is often poorly thought-through and poorly implemented.

about 9 years ago



Since Nielsen doesn't take any feedback from readers, I guess your comments will have to take the brunt of it:  I like him, and he is usually brilliant, but this is just an awful idea.  Maybe most of the time the user isn't being watched from over their shoulder, but every time they are, they can expose their password to anyone looking at their screen.  I'm not worried about the hacker staring at my keyboard, I'm worried about the coworker whom I'm logging into a site he shouldn't know the credentials for.  Having a "show characters" checkbox, disabled by default, is the real correct move.

Jakob worships at the altar of usability, and he seems to have forgotten the gods of security and common sense on this one.

about 9 years ago

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.