To password mask or not password mask?

That is the question Jakob Nielsen sparked with last summer’s column: Stop Password Masking. In this week’s A List Apart, Lyle Mullican discusses The Problem with Passwords, and writes:

However, making such a sweeping change to a fundamental user interaction could present serious problems. Consider some contexts in which a password might need to be entered in front of a large group of people, such as while using a conference room projector. And many years of web experience have set user expectations on how form elements should work. People understood that password masking was invented for their security. Failing to meet that expectation might undermine confidence, and we cannot afford to lose our users’ trust.

I agree with Nielsen here, and suggest that if you need to enter a password while using a conference room projector, you should have logged-in before your presentation.

Password masking prevents users from making sure the password is correct before sending it to the server. If you, like you should and I do, pick long, hard-to-guess passwords, an unknown mistype can be a source of frustration.

Password masking also provides a false sense of security, particularly on unencrypted connections. Sure it prevents a person peeking over your shoulder. But it doesn’t stop her from watching you type it on a keyboard. Nor does it stop someone from intercepting it with a packet sniffer if the password is sent as plain text.

In other words: password masking is a bad convention.

So what’s the answer? Password unmasking — a toggle that allows users to choose whether or not to show the password. It’s a fairly recent convention that’s become widely used for WiFi set-up screens. Jeremy Keith described one method of password masking last summer. Mullican covers a similar technique in his A List Apart piece.