While it may be a common security feature, masking passwords as users type them in may be causing login problems and lost business for websites, according to Jakob Nielsen.
Nielsen also argues that this isn’t even necessary as a security feature, since users aren’t normally overlooked when typing in passwords, while a determined snooper can simply watch your keystrokes anyway. I have my doubts though…
The drawbacks of password masking as outlined by Nielsen are:
Greater risk of user errors: without the visual feedback of seeing the characters on the screen as they type, users are more likely to make data-entry mistakes which could leave to them giving up altogether and leaving the site, thus leading to lost sales.
Making users choose simple passwords: Nielsen suggests that users are more likely to choose easy to guess and therefore less secure passwords, or copy and paste from a file on their computer, leading to a loss of security.
I agree that there is a risk in terms of lost sales from users forgetting or incorrectly typing passwords in, but I imagine most people would at least try to enter the password again with more care, and most will probably succeed. If they don’t, that’s what password reset options are for.
Most of the risk of lost business from passwords comes from the fact that web users now have so many passwords for different sites and services that they are liable to forget them from time to time.
This is more of an argument for doing away with compulsory registration on e-commerce sites, as forgotten passwords and the consequent user frustration can have an effect on abandonment rates.
He also recommends providing a checkbox to give users the option of password masking when they are in a more public for instance, though I’m not sure it’s wise to clutter up web forms with extra checkboxes.
Many people are using computers in crowded office, on trains, internet cafes etc, and since masking is the convention, they will be expecting and their passwords to be concealed. If errors in password entry are an issue, then displaying the character typed briefly before masking it, as on the iPhone, may be a much better option.
On this occasion, Nielsen’s argument seems a little weak to me, and since there are no user testing or other stats to back these points up, I remain sceptical.