Huh. That's really interesting. It's one of those things you never think about because "it's just the way it's done", but when you think about it his points are entirely valid: password masking hurts usability and doesn't really provide any real security benefit. So why do we do it? - Louis Simoneau

"More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue." — umm, 'sitting all alone in your office'?! So Mr Nielsen never collaborates with one or more colleagues huddled around a computer screen, so it must be universally true. Good to know :D - Micah

"Look away. I. Said. Look. Away—I'm type'n my password into a user friendly input....UH! STILL TYPING!" - Micah

Yeah, the more I think about this, the more I think it's wrongheaded. We would never want an ATM machine, for example to not mask our PIN #. In the same vein, this is fine if you have a dedicated single user personal computer that is rarely shared or used for collaboration -- but many people use computers in shared environments: schools, libraries, airports, stores. That's not a good user experience for those users. It also isn't going to serve to give people the emotional sense that their data is safe. - Jason Toney

Andy, exactly. Though I must say, just had a flashback to the Lotus Notes client (7 odd years ago anyway) password input - variable-length hieroglyphic icon grouping would appear as you type. That was just wrong, and I'll gladly sick useit.com all over that business. :D - Micah

It's hard enough getting users to register for something -- imagine if we removed that sense of security (whether valid or not) - Jason Toney

I'd like it if I could stop password masking, actually. I wouldn't turn it on in my open-plan office, but at home, I think it would be fine. - Andrew C (✓)

Jason, amen. I'm all for challenging 'well we've always done it that way's, but this boggles my mind because it's going after the henchmen when there's so many usability super-villains out there. - Micah

Andrew, what about: type password into username field, cut, paste into password field, type in username, done? - Micah

Some overzealous sites (it's rare) actually prohibit pasting into password fields. That said, I have pretty good muscle memory - I cover the ATM pad completely; I can't even see the buttons, much less someone else - but Nielsen's right, password masking can be silly and doesn't add any security when there's no one around to shoulder-surf. - Andrew C (✓)

true at home it really serves no purpose, and at the very least by seeing it in plain text you are more likely to remember it. But on the one hand it can be beneficial in a multiple user session, and setting that as a default for high security locations works well. That is as long as they are not one of those who use the same password everywhere. - Ubuntu101 from IM

Hey, why not go a step further: a nice ajax call keypress by keypress validation: "p" ✔ "a" ✔ "s" ✔ "s" ✔ "w" ✔ "o" ✔ "r" ✔ "r" Opps, hack attempt detected, password was reset. Please validate by super secret email we just sent you. :D (and yes, I know about the bit strength fail inherent - it's a joke, ok :) - Micah

O, yes, Shades of "Sneakers" getting a password while using hi-res surveillance cameras trained on the keyboard. No, no! "Listen fellas, you don't need his password. The little black box is next to the...." lol - Melanie Reed

Well, I do respect Jakob and his crusade for users. And I am being forthwrite when I say the whole approach to security which places the burden on the user is..., dare I say it? Can it be insane?" (with apologies to Rhett Butler's proposal to Scarlett). There's got to be a better way. I'm not saying I know what the "better way" is but the burden needs to be removed. Who of us hasn't gotten to the point where we have just had our fill of everything including OpenID? Now we've got the social hack to deal with and all the lovely things Mitnick has been making money off of telling the novice networker about selling his book to University Network security classes as base text. See how prison life can make you rich?! - Melanie Reed

One of the nice things about the iPhone: the password character remains unmasked for a moment. [This is very impt when people are learning the feel of that keyboard!] And Apple's wifi login has the option of showing the entire password unmasked. I like both of these alternatives to the traditional full-masked password. - Kathy E Gill

OpenID with cert auth. One password to rule them all... Frigging annoying that you can't comment on his site... - Marlin Forbes

Or even better, install KeePass or RoboForms, you never need to know a site's password again. Only the master password. - Marlin Forbes

a Friend's husband provides some history (this comment was posted on my facebook page): "thanks to the hubby for the info: The original reason for masking passwords was because CRT monitors with analog connections like EGA or VGA would give off radio noise (as all electronics do), which could be reconstituted with special equipment. With digital connections like DVI (and even more to the point encrypted digital connections like HDMI) ... Read Moreand LCD monitors, however, that is no longer an issue. The noise they give off is not only orders of magnitude lower, but even if you intercepted it, it can no longer be decoded into a replica of what is on your screen." - Jason Toney