Passwords: to hide or not to hide?

Jakob Nielsen: don’t hide passwords

A while back Jakob Nielsen wrote an article in favour of no longer hiding passwords behind a row of bullets.

His main arguments:

  • Users often make mistakes when typing passwords because they alternate between uppercase and lowercase, letters and numbers.
  • The lack of visual feedback increases the chance of mistakes. Users can’t see whether they’ve typed in something wrong.
  • Hidden passwords aren’t really safer. People can still look which keys the user is hitting to find out the password.
  • 95% of the time, the user is alone behind the computer and nobody’s watching.

His conclusion: the small amount of added security does not outweigh the loss of visitors who have trouble registering and logging in. Nielsen advises to use a check-box to give the user the option to hide the password behind a row of bullets. On security-sensitive websites, like for example banks, he advises to check the box by default.

What do I think?

Nielsen is no dummy. He’s absolutely right when he says the bullets cause confusion. People aren’t sure whether or not they’ve made a mistake, they don’t know what they’ve typed in already so they just start all over again. Sighing deeply. That’s what we often see during user testing.

Nielsen’s argument that the bullets don’t really make it more secure is also largely true. But there’s also something like perceived security. I remember 2 days of user testing on designs where the password hadn’t yet been masked by a row of bullets and was on the screen for everyone to see. 8 out of the 10 users spontaneously made negative remarks about this. Things like ‘Whoa, that’s not normal, right?’ and ‘That’s not really safe now, is it?’.

Which is why I’m not a fan of just showing the password on the screen without masking it. People don’t like it.

What does Apple do?

If you type in a password in the iPhone the last character you typed in is briefly shown. That way you get visual feedback without showing the entire password on the screen. (They’ve been using the same system on Symbian-based Nokia phones.)

Can we do this on the web?

Apparently we can. Chris Coyier developed 2 versions of the iPhone-system for the web. (For the techies out there: based on jQuery – more on the script and the possiility to download the files).

Where do we go from here?

My gut feeling says we should go for Coyier’s 2nd iPhone version, although the script apparently needs some improvements (it doesn’t work in IE7 at the moment).

But what’s my gut feeling really worth? Not a lot. To be sure what works best we need to take various options and test them with real people.

  • The classic bullet system.
  • The iPhone-version.
  • The Nielsen-way, a check-box to mask the password (once checked by default and once unchecked by default). Some examples of this approach.

In usability, opinions are nothing. Testing is everything.

PS: This article is based on an article on MediaKip, Michel Kuik’s blog (in Dutch) .


Read more articles about , , Usability.

Want to stay informed about new articles?
Subscribe to our RSS feed or our newsletter.


  • http://www.bestwebimage.com Rob

    That was absolutely horrible advice that Jakob gave, and even security expert Bruce Schneier now admits he may be wrong.

    If you think he is right now, you will probably change your mind in a month. Over a month time you will see countless people login to whatever on their computers, and the only reason you won’t find out their password is because the field was masked.

  • http://www.agconsult.be Els Aerts

    @Rob: You may have misunderstood me. I’m not saying Nielsen is right about advocating unmasked passwords. I’m saying he has a point saying they cause problems, but that my gut feeling is to go for the iPhone or BlackBerry way of masking. And it appears Bruce Schneier agrees. On his blog: “A reader mentioned BlackBerry’s solution, which is to display each character briefly before masking it; that seems like an excellent compromise.” But as I said before: in usability, opinions are nothing. Testing is everything.