Find solution
Do password fields on registration forms need to be masked?

Do password fields on registration forms need to be masked?

  • Your typical registration page for a web site will ask you for a password, then ask you to confirm to make sure you typed it correctly. In doing so, they typically mask the two fields: Create Password --------------------------- | ******** | --------------------------- Confirm Password --------------------------- | ******** | --------------------------- As a user, I don't like masked password fields--at least when I'm creating them. Instead of retyping it, just let me see the pwd so I can see that I typed it in correctly: Create Password --------------------------- | K#4jsie! | --------------------------- What are the arguments for not doing the latter? Is it just habit? Or are there very big security reasons for not allowing it? UPDATE: What are thoughts on this hybrid solution? One field, but let the user opt in to unmask it? Is this a viable compromise? Create Password --------------------------- | ******** |  Show Password ---------------------------

  • Answer:

    There's a good case against using masked passwords: http://www.nngroup.com/articles/stop-password-masking/. Summary: Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures. All it does is prevent people from seeing your password as you type, but dedicated hackers/thieves can easily get around that. It hurts UX more than it helps prevent password theft. Update: Your option to allow the customer to show their password if they wish is a good compromise.

DA01 at User Experience Visit the source

Was this solution helpful to you?

Other answers

One solution is to give your user the option to choose which is best for them. Luke Wroblewski wrote http://www.lukew.com/ff/entry.asp?1653 that covers this issue well: By default Polar displays your password on our Log In screen as readable text. A simple, Hide action is present right next to the password field so in situations where you might need to, you can switch the password to a string of •••• instantly. Wait... what? You’re displaying people’s passwords by default? Simply put, yes. We decided to optimize for usability and ease of log in over questionable security increases. On a touchscreen phone, its trivial to move the device out of sight of prying eyes. Or easier still to simply hit the Hide action to obscure a password. But not that it matters, there’s a visible touch keyboard directly below the input field that highlights each key as you press it. These bits of feedback show the characters in a password at a larger size than most input fields. So in reality, the •••• characters aren’t really hiding a password from prying eyes anyway. As a result, we opted for usability improvements instead.

Charles Wesley

The obvious reason is, that you can type the password, even if other people are watching the screen. Often i have this situation when i publish my desktop in a presentation, or if i need to give support to other users. Besides hiding of the characters, the browser (or desktop application) will also prevent copying the content from the password box. This is one possibility less for other applications to misuse the passwords.

martinstoeckli

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.