Web Site Design Advice That Sucks: Cleartext Passwords

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.

More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

Jakob Nielsen, Stop Password Masking

I started but didn’t finish a post along almost the opposite line a few weeks back after playing around with one of my digital cameras for a while. What happened was I noticed that it was very easy to photograph a computer screen from a significant distance with an inexpensive digital camera and read the display without the slightest problem. (It started when I realized that I could read a stranger’s computer screen perfectly in a photo I had taken of my children on a plane trip.)

This could be your password!
This could be your password!

A recent Scientific  American article points out that security researchers have been doing things like reading screens using cheap telescopes from hundreds of feet away (the distance between nearby office buildings in New York, say), or magnifying reflected images in users’ eyeballs (something I actually predicted about twenty-five years ago in my old science fiction setting).

Of course, users usually aren’t being watched, but simple security isn’t for the usual case. Sure, leave your front door open, burglars usually aren’t wandering through your neighborhood. Displaying cleartext passwords is just asking for it since snapping a high resolution still photo is ridiculously more easy than filming a user’s keystrokes or packet sniffing. In Nielsen’s world, I could sit in any Starbucks and collect dozens of userids and passwords over coffee. What’s worse, as each happy notebook user tried out their three favorite hard-to-remember passwords I’d be able to collect information which would let me break into multiple accounts.

Of course this would never happen, because users would probably shy away from the lack of perceived security on any sites taking Nielsen’s bad advice. In this case, they’d be absolutely right.

A huge problem with Nielsen’s argument is that the usability angle is virtually irrelevant (most people type passwords from muscle memory and don’t rely on visual feedback) and the use-case is wrong (entering passwords is a common operation which people can remember how to do, not an obscure operation people need help remembering).

Now, Nielsen’s observations are based on observing usability tests of mobile devices accessing password-protected sites, and I have no doubt the observations are valid. But herein lies the problem with usability testing — it may show you a problem, but it doesn’t show you the solution. Go do a real test of Nielsen’s “solution” and see what really happens. I have no doubt entering a password in a cleartext field is easier, but the downstream costs aren’t part of the test.

Gruber’s point (in providing the link) is well-taken:

The iPhone strikes an interesting middle ground here — it shows you each letter you’ve typed in a password field for a second or so before turning it into a bullet.

John Gruber, Daringfireball

The iPhone solution is excellent because it doesn’t open up any new security hole (filming an iPhone user’s password is exactly as hard as filming someone typing). Nielsen’s proposed solution opens you up to having your passwords recorded by random security cameras being watched by random guys many of whom aren’t earning much more than minimum wage and who are really bored.

Nielsen proposes a checkbox to mask password entry for insecure situations. Great. So we’re making a technically simple gizmo more complex in the interest of reducing security. Please, if you’re going to add a bunch of JavaScript to make your password entry field work better, use it to make your logins secure over http. How many people will remember to click the “mask” checkbox, or inadvertently type cleartext passwords before they realize what’s going on?

The only really relevant use-case where seeing your password improves usability is when you’re entering a new password for a new account, and even then Nielsen’s argument fails — having visual feedback when entering and confirming a password would encourage users to invent new passwords they have virtually no hope of remembering, which in turn would lead to more “security questions” and “mail my password to me” garbage which is where the really huge security holes lie.

So, in summary, in this particular case Nielsen is wrong, and not even wrong in a useful way. He’s wrong on the following counts:

  • The usual failure mode for logging in is not mistyping but failing to remember a password.
  • Cleartext passwords would encourage users to choose a larger number of harder-to-remember passwords, increasing the primary problem people actually have logging in to websites.
  • Cleartext passwords are a gaping security hole
  • Even if Nielsen were right in theory, any website taking his advice would lose customers owing to a perceived lack of security

So the cost is far greater than Nielsen suggests and the benefits either negligible or illusory. And you’ll lose customers.

Next, let’s get rid of smoke detectors. They’re a pain to install, and make annoying high-pitched squealing noises when their batteries run down. And buildings usually don’t catch fire.