Throwing Out Password Masking With the Bathwater

A recent and highly publicized blog is recommending that we stop the practice of password masking. The argument made by the author is that password masking offers little to no security benefit while at the same time creating a frustrating user experience. Even security-famed Bruce Schneier has weighed in on the topic. Specifically, the author notes the following:

  • Users make more errors when they can’t see what they are typing
  • Users are more likely to get frustrated or feel less confident, and so abandon their login
  • To get around these problems, users are more likely to employ insecure password practices such as using overly-simple passwords, or copying and pasting passwords from other locations

The author further states that the primary claimed advantage for masking passwords – that it prevents shoulder surfers from seeing what you type – creates a false sense of security. He correctly points out that a skilled or determined shoulder surfer would simply watch the keys you type, without having to see the characters appear on the screen.

In addition to the author’s points, I would add that masked passwords make it difficult for the user to know if they accidentally have caps-lock enabled. And, lacking any feedback about their typos, users are more likely to accidentally lock their accounts after too many failed logins. This creates not only a negative user experience, but also an unnecessary strain on technical support when they get called about the locked accounts.

All of the author’s points are valid, but in many cases the problem is overstated, the benefits are understated, and the conclusion falsely assumes binary options.

First, the problems described for password masking are exaggerated worst-case scenarios. How often do you really think users get so frustrated with masked passwords that they abandon the site resulting in lost revenue to the site’s owner? Or more pointedly, how often should such problems be attributed to the password masking itself, and not some other poor user interface design? I’m not saying it doesn’t happen, I am just skeptical that the problem is as large as the author claims.

Second, some benefits of password masking are overlooked. The author claims only one benefit – preventing the malicious shoulder surfer from seeing your password on screen – and then argues that this person will just watch you type the keys on your keyboard instead. Here are some additional benefits not explored by the author:

  • Depending on your typing speed, watching keys as they are typed is more difficult than reading a password onscreen – especially for weak passwords. Someone attempting to watch you type keys is more likely to fail in capturing the entire password, or will require additional tools (e.g. video cameras) to assist him. Masking passwords may not be a perfect solution, but it’s not valueless either.
  • Accidental password exposure is probably a bigger problem than intentional shoulder surfers. When you are making that next big presentation to coworkers and clients via the office projector, a web share, or within your cube, will you remember to blank your screen before you log in? Or would you prefer to ask your audience to all close their eyes briefly while you log in? Or perhaps you trust them to see your password?

Finally, the author presents the problem as if the solution is binary – we either mask passwords, or we don’t. As some Mac OS X users will tell you, this is a false dichotomy. For example, when setting up a new wireless internet connection, the Mac gives you the option to display the typed or stored password. By default the password is masked, but the user has the option to override this, which can be helpful when you aren’t sure if you fat fingered the password field. Apple doesn’t use this feature everywhere, but perhaps it should.

In conclusion, if you are considering unmasking passwords, make sure you aren’t throwing the baby out with the bath water. The points made by the author have validity, but they describe an opportunity to improve the existing practice of password masking, not a valid reason for abandoning the practice entirely.