Huh. That's really interesting. It's one of those things you never think about because "it's just the way it's done", but when you think about it his points are entirely valid: password masking hurts usability and doesn't really provide any real security benefit. So why do we do it? - Louis Simoneau

"More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue." — umm, 'sitting all alone in your office'?! So Mr Nielsen never collaborates with one or more colleagues huddled around a computer screen, so it must be universally true. Good to know :D - Micah Wittman

"Look away. I. Said. Look. Away—I'm type'n my password into a user friendly input....UH! STILL TYPING!" - Micah Wittman

He's wrong. Security is a balance between risk and usability. Masking the password field is a good balance. And if you are really so inept that you cannot type in a short 6 to 12 character phrase without getting it right then you can always type it into Notepad first, then copy and paste. The first app to make password fields unmasked by default is the first app that I send to the waste basket. And if this is such a big problem, use something else like a fingerprint reader, or smart card. If your app does not support these options then get one that does. - Andy Bold

Yeah, the more I think about this, the more I think it's wrongheaded. We would never want an ATM machine, for example to not mask our PIN #. In the same vein, this is fine if you have a dedicated single user personal computer that is rarely shared or used for collaboration -- but many people use computers in shared environments: schools, libraries, airports, stores. That's not a good user experience for those users. It also isn't going to serve to give people the emotional sense that their data is safe. - Jason Toney

Andy, exactly. Though I must say, just had a flashback to the Lotus Notes client (7 odd years ago anyway) password input - variable-length hieroglyphic icon grouping would appear as you type. That was just wrong, and I'll gladly sick useit.com all over that business. :D - Micah Wittman

It's hard enough getting users to register for something -- imagine if we removed that sense of security (whether valid or not) - Jason Toney

I'd like it if I could stop password masking, actually. I wouldn't turn it on in my open-plan office, but at home, I think it would be fine. - Andrew C

Jason, amen. I'm all for challenging 'well we've always done it that way's, but this boggles my mind because it's going after the henchmen when there's so many usability super-villains out there. - Micah Wittman

Andrew, what about: type password into username field, cut, paste into password field, type in username, done? - Micah Wittman

Some overzealous sites (it's rare) actually prohibit pasting into password fields. That said, I have pretty good muscle memory - I cover the ATM pad completely; I can't even see the buttons, much less someone else - but Nielsen's right, password masking can be silly and doesn't add any security when there's no one around to shoulder-surf. - Andrew C

true at home it really serves no purpose, and at the very least by seeing it in plain text you are more likely to remember it. But on the one hand it can be beneficial in a multiple user session, and setting that as a default for high security locations works well. That is as long as they are not one of those who use the same password everywhere. - Ubuntu101 from IM

do what the OS X wifi password dialog does: put a check box "show password" that's always unchecked by default. Then if no one is around, you can check it and enter your 16 character secure password. The security need depends on context. For serious needs like banking, it isn't a 6 character word. Jakob's best point is: Abandon Legacy Design - randulo

Hey, why not go a step further: a nice ajax call keypress by keypress validation: "p" ✔ "a" ✔ "s" ✔ "s" ✔ "w" ✔ "o" ✔ "r" ✔ "r" Opps, hack attempt detected, password was reset. Please validate by super secret email we just sent you. :D (and yes, I know about the bit strength fail inherent - it's a joke, ok :) - Micah Wittman

O, yes, Shades of "Sneakers" getting a password while using hi-res surveillance cameras trained on the keyboard. No, no! "Listen fellas, you don't need his password. The little black box is next to the...." lol - Melanie Reed

Well, I do respect Jakob and his crusade for users. And I am being forthwrite when I say the whole approach to security which places the burden on the user is..., dare I say it? Can it be insane?" (with apologies to Rhett Butler's proposal to Scarlett). There's got to be a better way. I'm not saying I know what the "better way" is but the burden needs to be removed. Who of us hasn't gotten to the point where we have just had our fill of everything including OpenID? Now we've got the social hack to deal with and all the lovely things Mitnick has been making money off of telling the novice networker about selling his book to University Network security classes as base text. See how prison life can make you rich?! - Melanie Reed

One of the nice things about the iPhone: the password character remains unmasked for a moment. [This is very impt when people are learning the feel of that keyboard!] And Apple's wifi login has the option of showing the entire password unmasked. I like both of these alternatives to the traditional full-masked password. - Kathy E Gill

I agree with a lot of the points made, but on web pages passwords should remain masked by default because there's a LOT of users out there would be too daft to mask their passwords in an internet cafe - Slippy "Threadsbane" Lane

OpenID with cert auth. One password to rule them all... Frigging annoying that you can't comment on his site... - Marlin Forbes

Or even better, install KeePass or RoboForms, you never need to know a site's password again. Only the master password. - Marlin Forbes

Marlin, good call re Keepass. If they ever get an iPhone App approved I will move back to it without even stopping to think. Right now I use 1Password. - Andy Bold from email

a Friend's husband provides some history (this comment was posted on my facebook page): "thanks to the hubby for the info: The original reason for masking passwords was because CRT monitors with analog connections like EGA or VGA would give off radio noise (as all electronics do), which could be reconstituted with special equipment. With digital connections like DVI (and even more to the point encrypted digital connections like HDMI) ... Read Moreand LCD monitors, however, that is no longer an issue. The noise they give off is not only orders of magnitude lower, but even if you intercepted it, it can no longer be decoded into a replica of what is on your screen." - Jason Toney