« The multi core processor quandry for software developmet - can and will you take advantage of it | Main | 'Content is king' the continuing saga, now with tight money »
July 2, 2009
Password masking, Hollywod and standards
Passwords are sacrosanct on the web. Some sites force you to change it every so often, others force you to use a minimum length, others force you to use certain symbols to make a password stronger. All this is OK I believe. But why do passwords always appear in the form '******' when you introduce them on a web page? As if everyone is peeping over your screen at that very second? Jakob Nielsen, one of the most notable usability experts says 'Stop Password Masking', his comments reminded me of the only time I've seen non-masked passwords: Hollywood movies. Perhaps Hollywood on this occasion has a better depiction of what works, especially now that Nielsen said something on the topic.
| [Entry continues to the left and below ad ] |
Since I always try to type as fast as possible, masked passwords have always irked me. Which is why when I saw the movie called Along came a Spider I thought 'Now wouldn't that be EASIER!'. There is a scene where Morgan Freeman 'guesses' a password, but to illustrate his genius in deducing said password, the movie directors decided to show the password in clear text as he was introducing it. It shows aces&eights or something like that.
Wow, I could even see special characters I thought. Instead of the typical error page: 'Check that: * You don't have the caps lock key or shift...* You have the correct keyboard/language settings'.
Jacob Nielsen's advice is simple: Stop Password Masking. For more security sensitive applications, he suggests using a default check box which is always checked for masked passwords and let the user unselect it if he wants the option for clear text password. Very simple indeed. Take a look at his entire post: http://www.useit.com/alertbox/passwords.html ( He also advocates removing the reset button, though I'm not sure about the merits of that proposal)
Lets see if the W3C eventually makes good on this topic or at least web browser vendors are paying attention to someone like Nielsen and considering this as an option. Security wise, it really is just a 'fuzzy' feeling it produces against peepers with the drawback of more errors.
So what do IT professionals think about this idea? Here is one example. I searched for references to this Hollywood movie scene, low and behold: ' What's the worst IT reference you've seen in a movie or TV Show?'
" An epic fail of a computer scene:Morgan Freeman has just figured out who the bad guy really is but needs the password for their computer...then he remembers a conversation from earlier on in which the bad guy used the term (I think..) "Aces and Eights" (something like that).
So Morgan Freeman types "Aces&Eights" into the password box of the computer breaks the password...must have been a lucky guess on the capitalisation and the ampersand. But lucky for us that there were also no asterisks otherwise we wouldn't have been able to spot this idiocy."
Guess we will have to wait and see if this scene doesn't move onto the 'Most prescient IT reference you've seen in a movie or TV Show' in the coming years
Update: Seems Jakob Nielsen's post stirred up a lot of debate. I found this interesting approach to partial masking, as the author points out "its an attempt to meet Jakob halfway" HalfMask - an Experiment in Password Masking .
| [Comments below ad ] |
Posted by Daniel at July 2, 2009 3:03 PM
Comments
Post a comment
Track back Pings
Track Back URL for this entry:
http://www.webforefront.com/mtblog/mt-tb.cgi/110.
[Any other Reader]
