Comments on: Why do passwords appear as dots in a form?

By: Paul Olyslager

Paul Olyslager — Mon, 28 Nov 2011 15:33:47 +0000

Hi Clive, thank you so much for making your point. I think that comments like these are a real eye-opener for all of us. I have to admit that many companies I have worked with value accessibility as a nice-to-have rather than a must-have because the necessary investments don’t weigh up to the minimal increase of users.

Little do these companies know, literally! They seem to claim that their websites or applications aren’t used by people with disabilities, so they don’t need to pay attention to web accessibility. However, the tracked profile of a user with a disability is identical to anybody else using that browser.

Knowing that 18.7 percent of US citizens are disabled (according to a 2005 report from the United States Census Bureau), they should start right away!

I haven’t found any metrics on the matter but I do believe that many, mostly governmental, instances are making the extra efford – although slowly – in optimizing their websites, (web) applications, … but companies and others still have to follow their example.

By: Clive

Clive — Sat, 26 Nov 2011 08:39:38 +0000

Hi, I don’t know if this article/discussion is recent or archived but found it extremely interesting. A point that all your replies seem to be missing is how useful it would be for disabled people like me with poor dexterity (cerebral palsy) Jamie posed the question “Is it really that hard to type a string of 8 to 13 characters correctly?” Believe me Jamie for some of us its very difficult. I’m forttunate enough to be able to type one finger. Others, my wife for example, co-ordination and use of hands so bad she can only type with the tip of her nose!! So anything that makes the process a bit easier is appreciated.

(to make a point… this messaage has taken well over half hour to write and involved 32 corrections).

By: Do we really need dots on a password field? | marcomonteiro's – Blog

Do we really need dots on a password field? | marcomonteiro's – Blog — Thu, 23 Dec 2010 13:30:31 +0000

[...] never really thought about this until a while ago when i’ve come across with this article. And i was blown away that i’ve never thought this myself. Seriously, imagine that you have [...]

By: Paul Olyslager

Paul Olyslager — Sat, 13 Nov 2010 10:56:17 +0000

@Marco Monteiro: You're most welcome Marco! Glad you liked it.

By: Marco Monteiro

Marco Monteiro — Fri, 12 Nov 2010 22:58:12 +0000

This is a really good article =) save me a lot of time with research… thanks mate..

By: Paul Olyslager

Paul Olyslager — Mon, 11 Jan 2010 11:21:21 +0000

I've found a nice solution for the Iphone-like approach on the website of Queridodesign. It is using Mootools and works in Safari 3+, Firefox 3+, Opera 10+, Internet Explorer 6 and 7.

By: Jaime

Jaime — Wed, 18 Nov 2009 15:27:46 +0000

@Paul Olyslager: Thanks Paul! I by no chance mean there should not be room for improvement. I do agree that if there's a chance to improve, so it shall be done in a tasteful and effective way. The thing is, a password input box that displays the letter and then transforms to a asterisk, is just a bit more safe than having the box display plaintext. A person with good visual ability and memory looking to steal your password will do so by looking at your plain text, by looking ad the changing letters, or by looking at your fingers when you type. In that same order you could say there's no protection with the first, somewhat a protection with the second and as much a protection with the last option. The main reason the iphone's password input boxes work like that is because of two reasons. First the fact that the phone is always in close proximity to your person and it's easier to "protect" your password entering with your body (which most people do, if only because most people use the phone in a position where people can't snoop from behind). And Second the fact that typing in an iphone is by definition harder than typing on a regular keyboard, as well as it's a lot more error prone. Add to that the fact that if I can probably type my password wrongly 2 times and get it the third time on the browser faster than typing it on an iphone (though that might be because I really don't get a lot of use from opposable thumbs). It's that much annoying to have to retype your password on the phone than on a laptop or desktop. I believe Apple decided to sacrifice a little security to make the experience easier for people. But we shouldn't do that on the web, because the security risk is a lot higher than on a mobile phone.

By: Paul Olyslager

Paul Olyslager — Wed, 18 Nov 2009 14:15:24 +0000

@Jaime: First of all, thank you for your comment. It is always nice to hear someone else's opinion and takes the time to clarify it. I must say I partly agree with your comment. You shouldn't change the usability of something that is so standarized as the dots of a password field, but that doesn't mean there is no room for improvement (or at least have a look for other possibilities for that matter). Re-inventing the wheel is not necessary, but improving it to the changing external conditions without touching the basics of the wheel (it needs to roll) is. The essence of a password field are the dots itself, without these the field is not recognisable as a passform field. In all the alternatives mentioned in this article I kept the dots for consistency reasons. I do understand the solution of Apple, changing the character in a dot after you entered the next character makes sense. People still recognise it as a passform field, it is still consistent and it's more difficult to make a typo. I'm not saying that this option will be the new standard, but it is nice to know that people still think about the functionality.

By: Jaime

Jaime — Mon, 16 Nov 2009 11:55:28 +0000

I’ve heard this a gazillion times. “Why mask passwords? Give control back to the users!”

There are various reasons why this is not a good idea.

1) You may think that “over the shoulder” password peeking doesn’t occur anymore, but it’s far more likely to happen now than ever. Be it your girlfriend trying to figure out your Facebook password to see if you’re cheating, or the florist that brought flowers to your office who is really a corporate spy. No this is not a movie script. This stuff does happen.

2) It has worked the way it is for ages. Why change something that works? Most people authenticate many different ways. Browser’s password manager, a password managing app, the leave their account logged in, or are so used to typing their password that muscle memory takes care of the rest. Is it really that hard to type a string of 8 to 13 characters correctly?

3) Users grew up with the idea that masked passwords mean security. You take that away and people will think twice about using your website. Though password masking does not equal security, it’s to late to change the perception of it all.

There’s a point where usability pioneering starts getting in the way. Study the effects of positioning, whitespace, simplicity and complexity in interfaces, call to action importance hierarchies, and the whole plethora of other usability issues; but really, this stuff works well already, and changing it will make you the outcast in the list of sites the user uses. If out of the 10 sites I use 9 mask passwords and 1 doesn’t, I might associate that with not being safe or meaning something completely different to what it would mean otherwise.

To finish up, one of the most important concepts in user experience is consistency, and this doesn’t only apply to the design of your site. It is just as important to maintain a consistency in certain elements the user interacts with throughout the whole web, and one of said components is the password field.

By: Sue

Sue — Mon, 16 Nov 2009 01:59:07 +0000

The dots are there for security, so someone looking over your shoulder can’t find out your password (social engineering hacks).

In our software program, when you enter a password, such as for your key, it’s in all dots. But there’s a check box you can select that allows you to “Show keystrokes.” If you know no one is at your back, you can select this to verify you’ve typed the correct password. In our case, it’s a simple usability fix.