Chris Kite Programming, Computer Security, Etc.

Terrible Password Security Advice From Jakob Nielsen

06.23.2009 · Posted in Passwords, Security, Web Applications

Jakob Nielsen today wrote an article calling for all log-in forms to display passwords in plaintext, rather than masking them with bullets or stars. He argues that this increases usability (users feel more confident because they can see their password as they type it), and also increases security (a more confident user will choose stronger passwords!).

I find this advice really strange. In all the password-related research studies I’ve read, and in all my conversations with computer users, I don’t think I’ve once heard someone complain that they are worried about typos in their password. People will complain at length about forgetting what their password is in the first place, and this is why most choose overly-simple passwords, or just write them down.

It seems like Nielsen has invented a problem where none exists. Nonetheless, he recommends that websites stop masking users’ passwords as they are entered. This whole viewpoint is wrong for a number of reasons:

  1. Nielsen claims that password masking is only done today because “it was the default in the Web’s early days”. In fact, it has been the default as long as computers have used passwords as an authentication mechanism. And it’s the default for a good reason: it complicates shoulder-surfing attacks with a minimal impact on usability.
  2. He also argues that displaying passwords in plaintext will increase a user’s confidence, leading to increased security because the user will choose a longer password. However, in a past article, Nielsen also claimed it is a lie that “long passwords are more secure than short ones”, and declared unequivocally that “users write down their passwords”. You can’t have it both ways, Jakob.
  3. For a log-in form to display the password in the clear is not the expected system behavior, and this is bad for usability. Nielsen suggests that a site could provide a check-box to enable password masking. Having to click a button to get the desired default behavior is also terrible for usability.

Perhaps the most egregious error in all the article is this gem:

More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

In the real world, people work in open offices, log-in to websites during presentations, browse the web with their significant-others, and expect websites to respect their privacy. But I will concede that in Jakob Nielsen’s private office, on the penthouse floor of his ivory tower, password masking is probably useless.

81 Responses to “Terrible Password Security Advice From Jakob Nielsen”

  1. I see a lot of interesting posts on your page. You have to spend a lot of time writing, i know how to save
    you a lot of work, there is a tool that creates high quality,
    google friendly posts in couple of minutes, just type in google
    – k2 unlimited content

  2. I read a lot of interesting posts here. Probably you spend a
    lot of time writing, i know how to save you a lot of time,
    there is an online tool that creates high quality, SEO friendly
    articles in minutes, just type in google – laranitas free content

  3. It is also very important to keep your locks highly advanced.
    Philadelphia locksmith gives twenty four hour or
    so for many homes, professional and also car
    locksmith remedies. In holly wood many new
    people will visit just for one day to see the film personals but if they lost all their money they will not hesitate
    to steal money for many home.

  4. This post offers clear idea for the new viewers of blogging,
    that in fact how to do blogging and site-building.

  5. Tremendous things here. I’m very satisfied to peer your post.
    Thanks a lot and I’m having a look ahead to contact you. Will you kindly drop me a e-mail?

Leave a Reply

SEO Powered by Platinum SEO from Techblissonline