homepage Welcome to WebmasterWorld Guest from 54.234.74.85
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Accessibility and Usability
Forum Library, Charter, Moderators: ergophobe

Accessibility and Usability Forum

This 43 message thread spans 2 pages: < < 43 ( 1 [2]     
Usability Expert Jakob Nielsen says: Stop Password Masking
aleksl




msg:3939515
 2:24 pm on Jun 24, 2009 (gmt 0)

Just wanted to comment on an interesting article I just received from one self proclaiming usability expert.

His idea is - "Stop password masking", it's bad for usability.

I always thought passwords were sent via base-64 encryption even in plain HTTP, so making them open text is just opens all kinds of holes for security breaches at every level. What do you guys think?

 

DrDoc




msg:3947826
 5:11 pm on Jul 7, 2009 (gmt 0)

I think the idea of a checkbox might be good, but it should require checking to make the password visible, and that checkbox should revert to masked default every time the page is refreshed, the window is closed, or the browser shut down.

I absolutely agree!

My suggestion:

- Use <input type="password">
- Supply checkbox (or button/image) to toggle the type of the password field to type="text"
- Use JavaScript to display the checkbox (or button/image)
- Use onkeydown/onkeypress to check if Caps Lock is on and, if so, display notice

A couple benefits from this scenario:
- saved passwords remain hidden by default (although, toggling the input field type would certainly reveal the plain-text password)
- the more "secure" option remains the default
- typos due to Caps Lock being accidentally turned on are reduced

The big challenge is alerting users to Caps Lock being on. Visual cues are less intrusive, but are certainly much less usability/accessibility focused than a glaring alert()

Something like this might work:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" 
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Password Unmasking and Caps Lock Check</title>
<style type="text/css">
#capsalert {
color: #c00;
font-size: 80%;
display: none;
}
</style>
</head>
<body>
<form>
<fieldset>
<legend>User Info</legend>
Username:<br>
<input type="text"><br>
Password: <span id="capsalert">CAPS LOCK = on</span><br>
<input type="password" id="pwd">
<script type="text/javascript">
document.write(
'<input type="checkbox" name="masking" onclick="unmask(this.checked)"> ' +
'Show the password as I type'
);
</script>
</fieldset>
</form>
<script type="text/javascript">
function chkCaps(e) {
ev = (e ? e : window.event);
kc = (ev.which ? ev.which : (ev.keyCode ? ev.keyCode : false));
sk = (ev.shiftKey ? ev.shiftKey : (ev.modifiers ? !!(ev.modifiers & 4) : false));
if(
(kc >= 97 && kc <= 122 && sk) ¦¦
(kc >= 65 && kc <= 90 && !sk)
) {
document.getElementById('capsalert').style.display = 'inline';
}
else {
document.getElementById('capsalert').style.display = 'none';
}//end if
}//end function
function unmask(truefalse) {
elem = document.createElement('input');
elem.setAttribute('type', (truefalse == true ? 'text' : 'password'));
elem.setAttribute('value', document.getElementById('pwd').value);
elem.id = 'pwd';
document.getElementById('pwd').replaceNode(elem);
document.getElementById('pwd').onkeypress = function(e) { chkCaps(e); };
}//end function
document.getElementById('pwd').onkeypress = function(e) { chkCaps(e); };
</script>
</body>
</html>

Edit: Remember to replace broken pipes with actual vertical bars.

[edited by: DrDoc at 5:16 pm (utc) on July 7, 2009]

janharders




msg:3947845
 5:50 pm on Jul 7, 2009 (gmt 0)

The big challenge is alerting users to Caps Lock being on. Visual cues are less intrusive, but are certainly much less usability/accessibility focused than a glaring alert()

I agree, an alert() or something else that takes focus away from the field would be the worst idea to make things easier for the average user - who just might look at the keyboard to type ... if he does so and notices when looking at the screen again that nothing he typed got registered, he's gonna be disappointed.
As in your example, I think it's ok if it's close to the form where the data is entered. A small Warning-Sign with explanatory text just below the password field will probably do just as well. locked my workstation to see what windows does, and I guess it'd be good to copy the style, so users see something familiar.

tangor




msg:3948089
 4:28 am on Jul 8, 2009 (gmt 0)

Another look on this subject:

Schneier says he was 'probably wrong' on masked passwords

Security guru gets a bit carried away by the moment

[theregister.co.uk...]

Bentler




msg:3948660
 8:22 pm on Jul 8, 2009 (gmt 0)

I think a "see password" checkbox and slider that hides the mask and adjusts alpha to fade your password in or out might be a useful method.

In general I appreciate Nielsen's penchant for asserting sensibility on the industry.

sunrayfr




msg:3949237
 2:26 pm on Jul 9, 2009 (gmt 0)

When I first saw that article on Nielsen's website I thought it was completely stupid.
But then we discussed about it with some colleagues and had an idea:

- What about masking the password as usual for the first 2 attempts.
- If they both fail, pop up a small message that offers the possibility to unmask the field for the next attempts (with a warning about security issues).
- The user can then choose if he is in a safe enough place to unmask his password.

What are your thoughts on that ?

JS_Harris




msg:3951199
 1:21 am on Jul 13, 2009 (gmt 0)

When my bank sends me a new credit card in the mail I have to call to activate it. A machine tells me to enter the card number and 3 digit code on the back. That is all it takes.

I thought this was not secure, what if someone took my mail, they could activate my card.

The bank informed me that a simple caller ID feature was able to identify my call and so no more questions were asked. If the phone number didn't match I'd have had to give more proof.

Passwords need that same level of extra protection imo, they should work wether plain text or not but a redundant IP check should be performed on subsequent visits (not an easy task with IP renewal on startup via DSL or cache clearing on browser session close etc, I know).

commanderW




msg:3951254
 4:23 am on Jul 13, 2009 (gmt 0)

Reading the link Tangor posted, it seems Nielson's problem (along with the new complication posed by the proliferation of handheld devices) has been addressed already.


Schneier now backs an approach taken by BlackBerry devices and iPhones, which display each character briefly before masking it.

It sounds like a decent solution too. Both companies have the bucks to do some serious research and testing.

Is this solution easy to implement for everyone else? Maybe some of the code gurus here can say. Or maybe this new trick is proprietary.

The checkbox solution might still make logins a tedious ordeal for users of handheld devices.

Anyway, the Big Boys seem to be a few steps ahead of Nielson on this.

DrDoc




msg:3951617
 4:07 pm on Jul 13, 2009 (gmt 0)

Having each character temporarily show in plain text, and then become masked ... That's virtually impossible to achieve.

The checkbox solution would not make a big difference on handhelds. The problem with the checkbox is ensuring that people understand what it does, in as few words as possible.

janharders




msg:3951655
 4:54 pm on Jul 13, 2009 (gmt 0)


Having each character temporarily show in plain text, and then become masked ... That's virtually impossible to achieve.

why? it should work quite fine with javascript, allthough you might not be able to use the standard masking character windows xp uses ... I don't see any problems with an asterisk. Of course, without javascript, there's no way to do it without the browser manufacturer, but many people have javascript enabled. do you see any other problem?

blend27




msg:3954504
 5:14 pm on Jul 17, 2009 (gmt 0)

@DrDoc

document.getElementById('pwd').replaceNode(elem); Does not work in FF.

replaceNode is native to MS Browsers.

So The DOM Way would be(me thinks)

oldElem = document.getElementById('pwd');
elem = document.createElement('input');
elem.setAttribute('type', (truefalse == true ? 'text' : 'password'));
elem.setAttribute('value', document.getElementById('pwd').value);
elem.id = 'pwd';
//document.getElementById('pwd').replaceNode(elem);
oldElem.parentNode.replaceChild(elem,oldElem);

I like the Idea a lot.

Blend27

super70s




msg:3955402
 8:09 pm on Jul 19, 2009 (gmt 0)

If you think password masking is a PITB try signing up for Twitterfeed.com. They have this "secret categories with a picture" insanity that's supposed to be easier to remember than a password. I won't go through that again no matter how much I want to sign up for something.

Tommybs




msg:3956530
 12:38 pm on Jul 21, 2009 (gmt 0)

For those of you that use jquery as a javascript library of choice, there is actually a plugin that does briefly show the typed character and then mask it, similar to how some phones work when connecting to the internet.

I think the major hurdle with display what the user types in a password field would be the user trust issue. How do you convince a user that unless somewhere is watching over their shoulder it's just as safe. Most web users are probably so used to sites not displaying their password as they enter it, that if they suddenly could see it they might begin to question whether the site in question has been compromised.

It is interesting though how most people aren't considered that credit card fields display the correct numbers. Maybe more and more people check for https these days...

phranque




msg:3959761
 12:28 pm on Jul 26, 2009 (gmt 0)

Having each character temporarily show in plain text, and then become masked ... That's virtually impossible to achieve.

that's how it works in the Blazer browser on the Palm OS.

This 43 message thread spans 2 pages: < < 43 ( 1 [2]
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Accessibility and Usability
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved