There’s been some debate in the blogosphere this past week about password masking, ever since blogger and web usability guru Jakob Nielsen suggested that passwords be shown in clear text as opposed to just a series of bullets as they are typed in by the user. Nielsen, the leading expert in web site usability, claims that password masking violates the basic principle of usability.

And Dr. Nielsen has a point. It’s often happened to me–I’m typing in a password. I get interrupted for a moment, and wonder whether I typed in the right character. I look at the screen, but since there is nothing there but a row of bullets, I can’t tell. Typing in passwords into smartphones and other mobile devices is especially vexing, since most people’s fingers just aren’t meant for typing on tiny keyboards, and typos are common. And if your admin has done his/her job right, if you make three typos in a row, you’ll get locked out. Having clear-text feedback in the password box would eliminate a lot of these problems and make for easier login.

A SANS response to Dr. Nielsen brings out a few concerns, while acknowledging the usability issue. The SANS response still brings up the objection of shoulder-surfing or even accidental observation, along with the potential problem of autocomplete web forms prefilling passwords along with other information. There may also be some compliance issues.

From a security perspective, eliminating password masking should be approached with caution, but the real security comes in increased password difficulty, and in encryption, not in the masking itself. SANS recommends going further and implementing two-factor authentication, which both increases security and improves usability. The two-factor approach eliminates the need to memorize passwords, which overcomes a lot of objections; and further serves to eliminate the scenario of shoulder-surfing. That is, even if someone looks over your shoulder and sees your password in clear text, it’s useless to them, since the two-factor system generates a new password for every use.