Chris Kite Programming, Computer Security, Etc.

Terrible Password Security Advice From Jakob Nielsen

06.23.2009 · Posted in Passwords, Security, Web Applications

Jakob Nielsen today wrote an article calling for all log-in forms to display passwords in plaintext, rather than masking them with bullets or stars. He argues that this increases usability (users feel more confident because they can see their password as they type it), and also increases security (a more confident user will choose stronger passwords!).

I find this advice really strange. In all the password-related research studies I’ve read, and in all my conversations with computer users, I don’t think I’ve once heard someone complain that they are worried about typos in their password. People will complain at length about forgetting what their password is in the first place, and this is why most choose overly-simple passwords, or just write them down.

It seems like Nielsen has invented a problem where none exists. Nonetheless, he recommends that websites stop masking users’ passwords as they are entered. This whole viewpoint is wrong for a number of reasons:

  1. Nielsen claims that password masking is only done today because “it was the default in the Web’s early days”. In fact, it has been the default as long as computers have used passwords as an authentication mechanism. And it’s the default for a good reason: it complicates shoulder-surfing attacks with a minimal impact on usability.
  2. He also argues that displaying passwords in plaintext will increase a user’s confidence, leading to increased security because the user will choose a longer password. However, in a past article, Nielsen also claimed it is a lie that “long passwords are more secure than short ones”, and declared unequivocally that “users write down their passwords”. You can’t have it both ways, Jakob.
  3. For a log-in form to display the password in the clear is not the expected system behavior, and this is bad for usability. Nielsen suggests that a site could provide a check-box to enable password masking. Having to click a button to get the desired default behavior is also terrible for usability.

Perhaps the most egregious error in all the article is this gem:

More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

In the real world, people work in open offices, log-in to websites during presentations, browse the web with their significant-others, and expect websites to respect their privacy. But I will concede that in Jakob Nielsen’s private office, on the penthouse floor of his ivory tower, password masking is probably useless.

81 Responses to “Terrible Password Security Advice From Jakob Nielsen”

  1. It is clear from your article you have no experience supporting users. I support over 5000 occasional users of an enterprise software product.

    I can tell you that before our self-service password reset system, over 75% of all calls were login related. For the most part people can not remember their passwords (41%) but the remaining 59% are users who know their passwords but can’t type them accurately into the password field. After 3 wrong attempts their account is locked out for 30 minutes.

    I unlock their accounts, and ask them to type their password into Notepad, and paste it into the password field. Around 75% of the time this works without having to reset their password. This is because our password policy is very complex:

    8+ Characters
    Can’t contain any word found in English dictionary
    Password must contain 3 or the following 4 character types:

  2. – Capital Letter
    – Lower case letter
    – Number
    – Non-alphanumeric character.
    And it may not contain any part of your name.

    Thus creating valid passwords is not an easy task. When they ARE successful, the password is hard to type, and mistakes are legion.

    The INSTANT any of these users types into Notepad, they immediately say “Oh, I was getting the capital letter wrong”.

    During my studies I once spent around 100 hours conducting research about web and Internet security. One of the questions I asked was “How concerned are you that someone might see you typing a password at your computer?” Of the 5 possible answers, less than 3% expressed any concern at all, and less than 1% expressed anything more than mild concern.

    In truth, shoulder surfers have learned to read your keyboard, so they know what you’re typing even if the password itself is masked.

    Also, truthfully, if you are logging in to a sensitive site with someone looking over your shoulder then you are a fucking moron.

    Nielsen is generally right, and in this article he is *mostly* right.

    I believe that logins *should* be in unmasked format, except where there is a chance it may be seen. Two options exist:

    1) reveal the password unmasked by default, and offer a checkbox which masks it if the user is at all concerned.

    2) Mask the password by default, but if the first attempt is wrong, unmask it for the second attempt, but leave the option to mask it there.

    The main reason why masked passwords fails far more frequently now, is that retarded security peeps (whose only mission in life is to justify their own jobs, and made user’s lives miserable) insist that stronger password rules increase security.

    This is complete and utter bullshit. Demonstrably.

    As soon as we were forced (by SAS70 certification) to increase our password strength policy, support calls for failed logins increased by nearly 30% immediately.

    On top of the bullshit bout password-strength-is-key lie, there exists human beings. Humans can’t remember esoteric bullshit forced on them by artificially complex rules. SO THEY WRITE THE FUCKING THINGS DOWN!

    Thus, the effect of increasing password policy strength has the single effect of lowering access, increasing pain and confusion (and costs) and ruining security completely by compromising the very thing the policy is designed to protect.

    IT departments have yet to figure this out. Or they don’t care, because otherwise they wouldn’t have a job.

    The same can be said for expiring passwords. Every study has shown this to decrease security, and increase hassle.

    So, in summation, frankly, you do not have a single clue what you are talking about.

  3. However, by looking at your password, you might see that it is really non-secure and put a better one.. say you see: ******, you feel secure.. now, you see 123456.. you know it sucks.

  4. I definitely agree with your three points, and his article is a bit flawed. But for your third point about the checkbox, he says: “for high-risk applications, such as bank accounts, you might even check this box by default.” That would be the expected behavior, I think. Maybe the checkbox should be checked by default in all applications, allowing users to look at their passwords in plaintext if they want to, while keeping their desired default behavior.

  5. I use a random 32+ char password.

    I’m glad OS X usually gives me the option to disable password masking, because I frequently type it in wrong.

    Jakob is close to the mark, but I think that all password fields should have a checkbox to *disable* password masking. Masking should still be the default.

  6. I’m sure, someone would figure out how to code a loginform with three inputfields:
    1. Username
    2. Unmasekd password
    3. Masked password
    and an Enterbutton (or OK or LOGIN or similar). Add an explaining sentence to the password fields, and no one needs a checkbox. Can’t be that hard, right?

  7. He dosen’t know what he’s talking about?

    Situation number 1:
    Professor starts presentation on a projector. Some students that always come to class late arrive, so professor decides to log in to the university website to enter attendance. Professor logs into the website and students see his/her password.

    Situation number 2:
    Worker A goes to workers B’s cubicle, and asks him to let him use his computer to check his email since his is acting up. Worker B sits down and log’s into the webmail interface while worker A sees B’s password in plaintext on screen.

    Situation number 3:
    I go to Mobius’s workstation and ask to use his computer. He allows me and I browse to his bank of choice’s website and… voila, his password is already there in the box since he clicked on remember password.

    A checkmark a good idea? Right because the moronic user that always gets his password wrong will use it ALL THE TIME and eventually someone will notice his password while walking behind him.

    My point? It’s not Chris’s fault you support over 5000 morons with IQ’s lower than 100. The reality is that while plaintext passwords AND a checkbox to hide/show passwords would make an application slightly more usable, the decrease in security is of such magnitude that it borders on extremely dangerous in applications in the fields of research, finance, science, and any other field where critical control over security and identity recognition are of great importance.

    “How concerned are you that someone might see you typing a password at your computer?”
    You’re asking them how concerned they are, not taking into account the fact that their opinion makes no impact on the real security issue at hand. It dosen’t matter if 3% are scared someone will see their password and see password masking as a nuisance. It does matter that not masking the password’s makes 100% of your users more prone to password stealing and even, god forbid, identity theft.

    Your answer is to sacrifice security by a degree of mammoth proportions, to make your users more… comfortable? There’s a reason for the existence of protocol in law enforcement, government, research, schooling, industrial, enterprise, etc… situations and procedures. Sure they might make everything more complicated, bothersome and of extended duration, but not following or adhering to such protocol invites chaos, mistakes, wrongdoings and misunderstandings. Having said that let me assure you that having masked passwords is part of the protocol required in the desktop, server and web applications field. Also, users might write their passwords down (which of course is another security breach waiting to explode); but although human error is mostly beyond the control of an application architect, we still must thrive to make the little we do have control over as protected, and safe, as possible for the benefit of our users. Even though they might not like it.

    I’ve worked as a senior lead application (both web based and infrastructure) developer for a mainstream E-commerce service provider, a chief software architect for a major player in the custom portal application business, a contractor in data analysis and security for my government, and currently I’m on retainer as a consultant for my country’s biggest bank as a senior software architect, where I’ve been called in for tasks from auditing their network and software, to implementing increased security in both their end user applications and in-house systems. And my advise to each and everyone that has to deal with security in software is this: “I would happily prefer a few disgruntled customers and increased costs for end user support, than having to deal with lawsuits originating from the lack of security in my applications.”

    So, in summation, this whole lets de-mask passwords is nothing more than sensationalist bullshit written to create polemic and lead to traffic. Oh and you sir, Mobius, have not a single clue what you are talking about.

  8. All Jakob Nielsen articles have in common one subject: Real information collected from experience with the users.

    Many times I’ve read things like “X thing confuses the user” and didn’t belive until I actually check with a less tech-savvy user.

    I’m not saying “If Jacob says it it must to be true”, but… did you actually check that the users doen’t get confused by *** instead of their password? I’ve done some testing and I found that yes, the users of my programs/sites trend to be confused by that so common behaivour.

  9. Oh, and a small addition: I do believe that a better way would be leveraging a technology such as RFID, but we’re still years away from using cutting edge identification systems for identity recognition outside of the governmental and enterprise applications. In the meantime we must protect the users from themselves and from others with intentions of wrongdoings, therefore using masked passwords.

  10. Seriously, if you can’t remember your damn password, if your fingers are too damn fat to type it in correct one of three times. 1> don’t use computers 2> don’t work in any field where you have to push buttons, not even the ones that require a telephone 3> are you fucking serious?

    Incompetence is getting old, if you call more than once to ever fix your password for a reason like this your ass should be fired.

    Hell no wonder why people get replaced by offshore resources.

  11. I don’t know what all the fuss is about as there’s an easy solution. Make your password ********

  12. I agree completely with James and Chris. Sure, it’s a usability issue – but that’s the only thing Mr. Nielson cares about (or is in fact an expert on). There are times when usability needs to take a backseat to security. I’m more than willing to trade in the small time lost in mistyping a password a few times than the ramifications of identity theft or the threat of having my systems compromised by the oldest and best form of hack: social engineering.

    In all honesty, we should be glad the asterisk is the standard instead of the unix login where the cursor doesn’t move at all! There are hundreds of ways to make your login forms more accessible and usable without sacrificing good, common-sense security. Mr. Nielson should stick to what he knows best – I’m willing to bet an enterprising hacker would find Jakob’s bank account very usable if Nielson’s suggestions were taken to heart!

  13. I read Nielsen’s article. I never thought someone could disagree with it.

    Here are the occasions where I personaly had problems with
    the lack of feedback. I am a computer scientist and I use strong
    passwords. Also I was able to diagnose the problem, whereas a non-specialist could have been completely stuck by any of the following
    * capslock activated
    * numlock disactivated
    * UK qwerty instead of US qwerty
    * qwerty instead of azerty
    * unreliable keyboard (it happens)

    In the huge majority of cases (unless you are using a videoprojector) someone who could read your password from
    your screen could read it from the keys you type on the keyboard. I already do not let someone look over my shoulder at the ATM, so it wouldn’t change anything for me if the ATM displayed my code, except that it would be more usable.

  14. It’s an interesting issue. Personally I like the *nix shell logins which display nothing as you type your pass, and mine vary from 8 chars to 34. Though it does seem like users in general would benefit from this.

    I still believe it’s a security issue though, and it might lead to really boneheaded ideas in the name of usability like storing the passwords in plaintext on the server. They click forgot password, it emails it to them, instead of emailing them a link which takes them to a page which generates a new random password and either displays it or emails it…

  15. Having

    (1) identity built into the OS (or some webservice) and having all apps/websites be able to consult that directly
    (2) having something other than passwords for authentication

    would solve this. We just need the specifics..

    I type my password(s) in 10s of times a day – its a complete waste of time. I just need to
    (a) demonstrate its me
    (b) have zones of importance – anything not important (reddit, stackoverflow) can just be automatic. Anything rarer/important (online banking) can go to the hassle of a second level of checking.

    We’ll get there, I’m sure

  16. What about a feature for HTML, or a JS solution, that would allow a configurable amount of plain-text “follow” when typing into a password field… for example:

    Then, when I type in my password, it will show your password as stars, but with the last ‘follow’ number of characters in plain-text… like:
    Follow of 1: * * * * * * * a
    Follow of 3: * * * * * tra

  17. Brian the Truth Giver says:

    Looks like all the Nielsen appologists coming out in force. People who cannot type in passwords correctly should be allowed to use computers.

  18. dullmoment says:

    I love all the comments tell the author. “I guess you never have supported the customer/users”. We can say the same for you all. These same users who, have to write down their passwords will be the same ones who don’t care if some one is shoulder surfing. Also telling us that people down need to shoulder surf and attackers can watch the keyboard, is not good reasoning. If attackers are able to do this why are we going to make it easier for them and not mask the passwords? A possible solution is to follow the standard of secured blackberry devices. If the customer has entered their password incorrectly a few times they can type word in that covers across the keyboard to determine if caps, num, or damaged keyboards are the possible cause. If the customers in your organization are have that much difficult using and remembering passwords, training maybe beneficial. Give them techniques and systems to create strong passwords that they can remember. Easy of use over security best practices is bad business.

  19. From AK says:

    I agree right off with the author here. Nielson is suggesting that we re-enigneer a system intended to keep all users safe in order to make it for convenient for the minority of users. I am not doubting that some users have trouble remembering and typing in passwords, however Nielson’s answer to this problem is simply: lets do the opposite. Its great that Nielson things being user freindly is a priority, but throwing out user security pretty much all together is just absurd.

    Please if you want to make passwords more user freindly, then think of a NEW idea that protects users as much as it “helps” them.

    I remember reading an article a few years ago passwords being pictures, that a user just remembers a handful of points on the photo and they log in. Someone will have to remind me the name of the project, but it seems like a relevant alternative.

    Also, I am often logging into programs and services while giving presentations or while in meetings. I doubt I am alone in this practice so suggesting that users loggin while alone in an office is absurd.


  20. cop1152 says:

    How about this?…I have installed software on your machine that allows me to see what you do in real time. I can gather all sorts of info, but I cant see your passwords if they are masked.

  21. @cop1152:

    Replacing a password with *s on the screen won’t prevent other software on the computer from possibly accessing it. If you were trying to get someone’s password, you’d install software that could get the password, and it would probably be no harder than installing software that monitors what’s on the screen.

  22. Anyone remember this article from Jeff Astwood? I think it explains a pretty good user-case and shows a good, acepted, and already in practice solution.

  23. Quite frankly, both of you have some points, but there is one thing i totally disagree:

    If anyone thinks that password masking is so important because other people steal them by looking at them – THAT IS WRONG.

    • Jedno mi siÄ™ nie podoba “ciężko prÄawoca‡” . WyrosÅ‚am już z tego i wiem ,że mogÄ™ efektywnie pracować z lekkoÅ›ciÄ… i radoÅ›ciÄ…, z pasjÄ… – ale ciężko NIE.Ponadto nie zauważyÅ‚am czegoÅ› co dla mnie jest ważne w pracy trenera , tak jak w każdej – predyspozycje. To zawsze jest na pierwszym miejscu. Tak wiem z doÅ›wiadczenia i na razie nie chcÄ™ zmieniać.

    • Thanks much Karen for the kind words. Appreciate the poem as well and the theme of the post is certainly fodder for a great ConnectWorking question.Sometimes “relinquishing” relates to something that is not a ‘negative’ in our lives; but simply the need to step back or away to let others rise to the forefront. Sometimes we have to give up dreams as we envisioned them to let them rise as much more than we could have hoped for or imagined. The kind of “letting go” is often more difficult that letting go of past wounds.Your comments are so appreciated!Blessings,Linda

  24. Skeuomorph says:

    @Dylan: “a configurable amount of plain-text “follow” when typing into a password field…”

    This is how password fields work on the iPhone, so you have a momentary visual confirmation of using the correct key, without the insecurity of the whole password remaining revealed. In use it feels both natural and elegant.

  25. In my opinion, if they want to provide a way to have unmasked password fields, that’s fine, but make it the exception. Provide a masked password field and an option to turn off the masking, similar to how Apple handles logging onto wireless networks.

    Alternatively, you could also take something similar to how Apple handles password entry on the iPhone by revealing only the last typed character and then masking it on the next keystroke or after a specific time (whichever comes first).

    Either way, you get the benefit of unmasked passwords but the comfort and security of password masking.

  26. @William – please explain how Jakob’s bank account could be compromised just because he could now see his password as he enters it?

  27. Reading many of these comments have an option to de-mask (default would be to mask) and this this option is never remembered so the user would have to click the box every time would help out many people. Working in an IT department that has to support password issues I doubt this would hurt security. A quick look around many offices and I can the sticky note with their passwords on it attached to their monitor, under their keyboard. A nice result of requiring complex passwords for different systems that have different password requirements and expire at different dates.

  28. Most people are not getting what the real issue is. “Regular” folks leave their stickies laying around, type their password so slowly that an attacker wouldn’t even need a special “keyboard reading ability” to learn their password, lose their passwords every couple of weeks and flood support departments. This are the same people that wouldn’t cover their screens when they log in to a website. This are the same people that would probably leave their banking website on a browser on an unlocked workstation with the credentials on it. What’s the use of a checkmark to unmask a user’s password when most of the computer illiterates (read most people that use computers) of the world are simply gonna prefer seeing their passwords on screen not caring at all that someone may access their password because of it.

    The real issue is that real users prefer to see their passwords because it’s more comfortable. They almost completely disregard security in behalf of not having to check their caps lock key (which by the way is a problem easily fixed by informing the user via a decent error message that it might be turned on) or retype their passwords. This same users save their passwords on a computer and then leave it unlocked where anyone can browse their history, log into one of their accounts and then wreck havoc. We can’t protect the user from all possible cases of wrongdoing, but using masking we do our best to avoid some of those cases.

    While I’m going at it, most complains seem to come from people that have to deal with “support”. So instead of getting 50 calls a day, you get 200 calls because of stringent password policies. And you believe that its a waste of time, waste of money and waste of resources. So you want unmasked passwords so half your staff gets laid off and you go back to getting only 50 calls a day, but, alas, the problem with that is that now your calls are not about resetting passwords for people that forgot them. Now you get calls about people complaining that their passwords not only do not work, but someone wrote insults on all their friends facebook walls and made a banking transaction moving funds to some random account on a Cayman Islands bank.

    If you have to deal with software security you need to cover your and the user’s ass. Why are you even thinking about making security comfortable? Let’s not search for bombs in airports, lets just let them blow stuff up. Let’s not stop and breathalyze potential drunk drivers, let them crash into schools. Let’s NOT put wet floor signs in the cereals isle, let the old lady break her hip when she falls. Let’s not protect the users in any way, since they prefer being on their own and it’s more comfortable for them not to listen to us.

    Again, why are you even thinking about making security comfortable? It’s NOT. Get over it and do your job people… and do it correctly.

  29. […] This post was Twitted by sahate […]

  30. Pharrisee says:

    One thing to bear in mind with Jakob Nielsen is that unless he keeps finding usability issues his income stream shrinks pretty darn quick.

  31. The checkbox to reveal the password may be a reasonable compromise for those having difficulty typing passwords, but not as the default.

    For Websites that don’t offer an option to reveal passwords (most) there are simple JavaScript solutions.

  32. Valuable thoughts and advices. I read your topic with great interest.

  33. SayWhatMobius says:

    After reading Mobius’ reply, I am left scratching my head. Yet another example of someone who thinks they have a clue, yet really don’t. I would rather support 5k users locking their accounts out due to password mistakes rather than risk just one of them compromising their account by typing a password in during a presentation or similar. Supporting locked out accounts is better than trying to deal with compromised data, especially on an enterprise level.

    That 100 hours you spent studying the web and security were wasted.

  34. Pravas R Mohanty says:

    It should be NULL or any password

  35. Pravas R Mohanty says:

    If need a password , I can easily trap the key by agent hooking..

  36. […] colocar tu password no significa que esté mal enmascarar los passwords”.Acá las respuestas:Terrible Password Security Advice From Jakob NielsenSecurity Experts Argue over Dropping Password Masking ProposalResponse to Nielsen’s […]

  37. Well, you could let the users decide if they want their password inputs, masked or not. May be via a checkbox that is always off(masking enabled) by default.

    Anywhoo, nice post thank you.

  38. Alex Burke says:

    If we want users to start using longer passwords, there will be more typos, and making the PW probably doesn’t accomplish much, except guard against video signal interception from 500 feet away.

  39. Terrible Password Security Advice From Jakob Nielsen | Chris Kite pig

  40. Terrible Password Security Advice From Jakob Nielsen | Chris Kite mulberry sale

  41. Terrible Password Security Advice From Jakob Nielsen | Chris Kite NIKE PAS CHER

  42. […] waves than usual by calling for all log in forms to display plain text as opposed to masked. Quite interesting retaliation but even more interesting usability findings in the […]

  43. I know this if off topic but I’m looking into starting my own blog and was curious what all is required to get setup?

    I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very web smart so I’m not 100% certain. Any recommendations
    or advice would be greatly appreciated. Many thanks

  44. I’m not sure exactly why but this website is loading
    extremely slow for me. Is anyone else having this issue or is it a issue on my
    end? I’ll check back later on and see if the problem still exists.

  45. If you are going for most excellent contents
    like me, only pay a visit this site everyday because it offers quality contents, thanks

    My web blog getting published

  46. ӏ’m curious to find out what blog system you’re working with?
    I’m havuոg some minor security problems with my latest website and I woսld like to fin something mkre secure.
    Do you Һave aոy recommendations?

    my weblog – Herve Leger Dresses

  47. I’m not that much of a online reader to be honest but your
    blogs really nice, keep it up! I’ll go ahead and bookmark your
    website to come back later on. All the best

    Also visit my website –

  48. When I originally commented I clicked the “Notify me when new comments are added”
    checkbox and now each time a comment is added I get several e-mails with the same comment.

    Is there any way you can remove people from that service?
    Thank you!

    my weblog brave frontier hack (Temeka)

  49. ϒou should also not fall below 1,800 calories per day. Repeat the same worƙout
    with right arm and left leg. Օnce you have seen the doctor ɑnd
    have gotten cleared to conceive, start changing your eating
    habits to include a healthy variety of foods.

  50. It’s hard to find your blog in google. I found it on 12 spot, you should build quality backlinks ,
    it will help you to get more visitors. I know how to help you,
    just type in google – k2 seo tips and tricks

Leave a Reply

SEO Powered by Platinum SEO from Techblissonline