Stop Password Masking
Nielson’s arguments regarding usability are valid. His case of users employing overly simple passwords or storing them in a text file I also believe to be accurate.
However, one of the introductory paragraph’s falls down pretty hard.
Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.
There are few cases regarding anything where a single tactic can “protect fully against [baddies].” Heck, by brushing my teeth doesn’t protect fully against plaque — shall I make the argument that one should not brush their teeth?
However, the bigger issue is in the sentence preceding that:
Most websites (and many other applications) mask passwords as users type them …
Here he is pushing the “blame” for this OS-level security onto the Web
industry. Sure, Web designers and developers could choose to stop using
input form elements with
type attributes. But users would lose all faith in the Web site’s security the moment they saw their password in plain text.
Further, the security benefits from the special treatment operating systems
give to password inputs would be lost.
Nielson needs to be making this argument to OS vendors. Until showing passwords in plain text is the norm at the OS level, users will not stand for it at the Web level. Web sites will lose more business by accepting this practice immediately than they ever will by showing the users a “line of bullets.”