In a place/system where its functions/services are considered critical (online banking, ATM, etc.), you don’t want your password/pin entry to be fed back on the output screen in clear text, simply because you want the best possible protection that [you think] you can get. Admittedly there’s psychological consciousness due to prolonged habit to see them masked, but there are other reasons as well.

Here’s mine: people tend to have less than a handful of passwords we can memorize and their slight variations (e.g. to meet the complexity requirements). Any more complex than that, we would write it somewhere in anticipation we will likely to forget it in a month or so. Those memorizable password/pattern, we took effort to come up with in the first place to make them mentally storable and unique – at least to ourselves. In a way, it’s becoming our ‘intellectual property’ which we’re reluctant to share with anyone else because if one is compromised, it may compromise other passwords for other systems that utilize the same patterns. In short: we don’t want to keep them anywhere else but our own mind let alone keeping/seeing them in clear text, anytime, anywhere. Consider the recent Twitter documents leak incident. The attacker managed to keep his hijack unknown to the victim because he’s able to uncover the Gmail password by searching for any site new registration email feedback in the archive that may contain some password, any password: in clear text. I searched mine recently and surely enough there are 20+ results showing my Gmail password in clear text.

In closing: I don’t want to see my password in clear text anytime, anywhere. It should be clear text only in my mind.

Computer users are more savvy than ever, but they can’t remember a strong password? More likely they just chose not too, because a good policy was not properly supported.

My personal experience: strong passwords work very well, just spend a bit of time working with your user community to come up with easily memorized passwords so they don’t just write them down.

Our security policy includes removing any postings that look like password notes. Our information is worth protecting.

In response to the original article by Nielson:
–
The biggest hangup on this idea is how browsers work. Passwords are only saved in browsers if they use the masked “password” field, and are generally stored by the browser encrypted. Text fields store autocomplete data making them vunerable ot physical browser access (though it can be disable in most browsers with autocomplete=”off”) and are generally stored by the browser unencrypted.

So, do do you allow browsers to remember the password in their password history and keep it masked? Or do you use a text field and allow autocomplete of a text field which might expose the password? Or do you use a text field and require the user to manually enter the password each time?

Hard choices…somehow I think the existing system will win out until browsers allow unmasked password fields (if you type in it, you see the letters, if it is autofilled, it is masked).

Wouldn’t such a “highly usable” site accidentally resemble the lousiest sites ever, the ones that have homemade security systems that leak passwords all the time?

It’s hard to put myself in the non-technical users’ place, but I would think that as they make their first impressions of the professionalism of a site and judge its trustworthiness, seeing their passwords in the clear would probably not make them think of a security- and usability-conscious design.

It would be interesting to ask some users if they think the password is getting “encrypted” as they type it in, i.e. that’s *why* it looks like *****. If that happens to be people’s mental model, then I’m definitely keeping with the tradition.