Jun 23, 2009
Password masking is the HTML thingy that replaces your password characters with bullet-points as you type. It may not be the perfect or most effective way to stop snoopers, but it’s not meant to be. It’s only meant to be good enough to stop most snoopers – at the very least make it somewhat inconvenient. And it covers casual as well as determined distance creepers with binoculars. He says:
More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.
While I agree with Jakob’s general observations about usability and the apparent cost of failed password attempts, I think the alternative isn’t quite acceptable. Because frankly, we’re not all sitting alone in our office. Many of us, are in fact, in the real world…like airports and coffee shops.
Perhaps the solution would be to implement into browsers a mechanism to un-mask password fields if you’re absolutely sure you’re not being snooped on (or at least confident enough to take the risk). After all, there’s nothing in the HTML spec that prevents this behaviour. Desktop operating systems do it all the time these days. Although, there’s nothing either that says that a plain text field can’t be used just be used either (which kind of makes the whole thing moot anyway).
Regardless, people with fat fingers hamming away on their iPhones should be the last people to complain about password masking: while they’re out there flaunting their precious little gadgets like a prom date, they’re the very ones being protected by masking. Granted, their passwords are probably something asinine like the name of their cat. They should use something like 1Password.