Change Password

A typical page used to change a password. It has two entries that use masking.

Setting a password is tricky. You have to come up with a sequence of characters that you can
remember but other people will have trouble guessing. It is no easy feat. To make matters worse the typical user interface for setting a password is hard to use. This is because of password masking: where a character (usually a * or a • ) is used to replace what the user actually types.

The idea behind password masking is to prevent people looking over your shoulder and learning your password.
However, the user cannot see what he or she is typing so it is hard to spot a mistake. A password with a mistake makes it hard to log in. So we end up getting the user to enter the password twice ? in the hope that he or she will not make the same mistake a second time.

Last year the usability guru Jakob Nielsen called for password marking to be dropped. And the security guru Bruce Schneier agreed with him. It pays to listen when high-profile experts on usability and security say things need to change. I did listen and started a lively debate about forms on GroupServer.

As a result of the discussion I ended up changing how GroupServer treats passwords:

  • When setting a password GroupServer presents the user with a normal text entry that shows what the user has
  • When logging in GroupServer presents the user with a normal password-entry that masks the password.

When setting a password the user can easy spot an error if he or she makes a mistake, so there is only one entry. Because setting a password is a rare event it is unlikely that someone will be looking over the user’s shoulder. However, entering a password when logging in is a common event, so we still use masking in that case.

We have been using the system on OnlineGroups.Net for about a year now. It has worked very well, and we now get very few requests from people who have trouble logging in.

However, reading back over the topic (which discussed forms in general) I realized that I have not finished my improvements to the password entry. What is currently missing is a checkbox on both forms, which would allow the user to toggle the masking, much like the Show password checkbox on the Edit Connection dialog in GNOME. Because the toggle is missing it looks like we made a mistake, as plain-text password entries are the exception, rather than the rule. At least I have Trac to remind me to fix things.

  • Janet

    Another option I have started seeing recently is a “Show password” checkbox. It is unchecked by default, but if the user ticks it, then the password field is not masked. This allows the user to make their own trade-off between convenience and security. (I first saw this on wifi login screens, where a 32-character key is nearly impossible to enter without feedback, but I am now seeing it for web logins as well.)

  • Michael JasonSmith

    Hi Janet,

    We do have plans to add a Show Password toggle. The modifications to the Change Password pages was setting up the initial defaults. More information can be found in the ticket for the Show Password toggle:

  • jrsmk1

    I’m not sure where I’ve used this pawword entry system but it only shows the last character you typed, being replaced with the normal black dot as you enter a subsequent letter. This fits well with most typing patterns either when your fingers have stumbled on the keyboard, or when you’ve been distracted and you need to resynchronise brain, fingers and the text box.

  • Richard Waid

    jrsmk1: you might find you’ve used it on a number of different mobile interfaces. I agree, it does fit quite well. In a mobile interface I think it might work a little better for preventing ‘over the shoulder’ password stealing, because mobile phones are relatively difficult to see from off angles.

    It might also work in a web interface, but I think it would be relatively gimmicky in comparison. The ‘show password’ toggle allows for double checking strong passwords, which has to be a good thing.

  • Michael JasonSmith

    I have seen the system where the password entry last letter was typed. You are correct, it does allow for simple slips to be corrected. It does have the disadvantage of being even more surprising than a password entry that shows everything. So for now, I think the plain text entry is ideal.