I don't really know what the fuss is about since the simplest solution is the most obvious one. Masking should be optional, it should be enabled by default and controlled by the checkbox next to the entry field.
Ick. Since you don't see what all the fuss is about, you're going to put another doodad between your user and conversion. Ask an online business that does any sort of volume at all: this is bad.
Web forms are where the usability rubber hits the road online. When adding an item to your form you should always be of the mind set that this extra step (optional or not) will lose you conversions, but you have to have it because of X. This forces you to justify placing item X, which in this case is the unmask password option. Is having an option to unmask the password field going to gain you more conversions than not? I have no data, just anecdotes and experience, but those all tell me no.
Putting a check box next to the entry field is putting GUI decisions on your user because you can't figure it out, and it will lose you conversions.
EDIT: Re-reading this it sounds like personal attack on the OC. It's not. I'm using the universal you.
checkbox? if the broswer implements it you dont need a checkbox (icon in the field, menu option, context menu option - plenty of neater ways to implement it than a checkbox)
That button isn't tiny, and is in fact very obtrusive. It makes creating designs and layouts hard enough as it is, and the file dialog isn't even used very often.
I'm pretty sure you can implement something like this on the web with some simple javascript, dynamically changing the input type from "text" to "password" and vice versa.
Or you can put this option in menu or status bar or whatever.
By the way, I don't understand your complaints about design and layouts. I've never had problems with designing forms. Maybe this is because I didn't try to replace native controls with some uber-fancy things? (which is a good thing)
...thereby breaking the semantics of the password input type. If it's going to be changed by Javascript, it should be a CSS style called "masked" or something.
The problem of displaying passwords has been solved by Unix years ago: do not show any visual feedback whatsoever. Security over convenience.
The problem of storing and subsequent input of random secure passwords has also been solved by Schneier and others via pwsafe and variants thereof. No worries about mistyping at all.
For special cases like Blackberry-type gadgets, what is needed is simply a port of pwsafe.
"Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."
Given this fact, it's not too hard to see why he would have come out against masking . . .
On our signup form for our time tracking service, the password fields are clear text, with a checkbox available to hide it that says "I'm being watched!"
Because... the credit card numbers are also clear text.
People on HN, for example, will have a freakout about the password but never the credit card number. It's extremely unusual to shield a credit card number on entry, because of mistakes.
Just make password masking a choice. For many people working mostly at home the only person "shoulder surfing" will be a family member. Masking passwords is really an annoyance. I don't want to know how many hours get wasted on retyping passwords over the years.
Also people tend to save passwords to overcome the typing annoyance thus making them less secure.
Well, has anybody thought that both decisions are right?
I mean, sometimes you _really_ are alone, with nobody shoulder surfing, and password masking is damned annoying. So, why not a check-box to turn masking off? And for the paranoid/security conscious, we can default mask on.
So, every time I type my password I should check that nobody is behind me? Look to the right, look to the left, look behind, type one key. Look to the right, look to the left, look behind, type one key. Look to the right, look to the left, look behind, type one key.
"Mask-on by default" means no regular user will ever uncheck. I think you greatly overstimate people's security knowledge, not to mention UI.
No regular user would ever turn the masking off. They simply don't click on these additional options. Heck, they don't even understand why it's there. Can you explain what's the checkbox's purpose? Why and when should it be turned off?
As a security expert, you should provide what's more secure, even if that means recognizing the users are too dumb to follow your rules.
So what is the harm there? Even if a user could not figure out (oddly) what the checkbox does, he'll continue to get the password field to behave in the way he is accustomed to.
Surely, people will have trouble figure out the purpose of the checkbox in the beginning. But that's how things tend to be when you run into something for the first time. It takes some time before a style becomes standard.
And what data do you have? I don't have statistics favouring a checkbox password masking option neither.
We're into untested territory thinking here, and I don't believe calling for statistics will disprove anyone. In the absence of hard numbers, I take your challenge.
staunch, I bet you $25 (via PayPal) that two users will not uncheck password masking off, when presented with an explanation what it's for, without looking either to the left, right or behind before typing the password.
I think the percentage will come down to demographics, the kind of site, the copy, and ten other variables. My wild guess is that it will be 5%+ without trying hard.
I'll probably try this on one of my sites (I've tried no masking before). Maybe I'll blog it. You can keep your $25.
