I generally like the idea of providing users the choice to reveal their typed password; many apps and sites have done so over the years. However, I have no idea how the original idea of entirely removing the "password masking" passed the "shower thoughts" phase, let alone made it into an academic research project.
> How often is someone looking over your shoulder when you type a password?
When I'm in the privacy of my own home? Rarely. When I'm using a mobile device (arguably where "unmasking" provides the most usability improvement) in public? All the time. No, random strangers are most likely not paying attention to your phone, but look around next time you go out there are cameras _everywhere_.
Even the helpful mobile keyboard feature that shows you the last entered character is a risk. Not to mention merely watching the interaction with the onscreen keyboard. However, both of those require a moderate amount of attention, versus just prominently displaying the full password unobstructed all at once on the screen.
You may not think those cameras matter, but let's be honest, many people have access to the data feed through those cameras. From the near-minimum-wage "security" guard (or loss prevention) employee to the corporate security teams storing the backed up footage.
Logging into your Hacker News account may present a low risk, but certainly, this could be catastrophic when logging into your bank account. It's one of the less acknowledged benefits of fingerprint readers and password managers (combined). Unmasking that password entered by the password manager would defeat this entirely.
Let it be an option, but don't do this by default.
We got a laptop at work. It's an Acer gaming thing which we bought becuase it was the cheapest thing we could find with a GPU in it. It also has an RGB keyboard (which is terrible, half the keys stick). The default setting is to flash a key when you press it, which then fades out over a second or two.
See the problem? Whenever you typed a password, you would see all the letters you typed lit up on the keyboard conveniently in brightness order...
At least you can fake that out by pressing the wrong keys. Similar to how I enter my PIN into ATMs, I have my fingers covering all the keys at once with my hand open and my palm down. All the keys get touched, albeit with different amounts of pressure, but picking up that sort of difference would be error prone.
I work with infrared cameras, I'll check this out tomorrow! Useful for things like seeing if someone's just left the office for lunch because their chair's warm.
Reminds me of the scene in one of Dan Brown's books where they catch the protagonist by noticing a conveyor belt has warmed up (which he lay on to escape). The first time I read that I thought it was nonsense, but having used decent cameras I'm inclined to believe it now.
like... i get that this is technically true, but you see how the addition of an infrared camera to the mix makes things much more cumbersome? or rather, do you see how obviating the need for an infrared camera makes discovering the password much easier (because you don't have to acquire and place an infrared camera, you're just handed the info via the visible spectrum)?
clever trick with the infra cam, but i don't think you've showed the equivalence of the situations in any practical sense. maybe that wasn't your point, and you were just offering a sorta-similar-but-not-really detection technique?
The infrared camera is not something exotic. Anyone who is interested in discovering passwords will have one. Most people do not care - if I would post my bank account password here most people wouldn't attempt to login to see if it was real, and of those that do most wouldn't do anything bad. I still don't post my bank info because of the tiny number of people who would abuse it: they are mostly the same people as who would buy the infrared camera.
> Let it be an option, but don't do this by default.
Fully agree, and found the "As for what you should set the default to. Well that’s another question..." conclusion quite stupid to be honest; "80% were not expecting to see the password as clear text" and "60% said they had become suspicious of the site", on those metrics alone surely it's obvious the default should be masked with an option to reveal.
They were suspicious because it looked like an error when there was no control. The second half seems to have been conducted with shown as the default, so you should perhaps pick quotes from that section instead. While hidden is the more conservative approach, since users will not have to think about it, this paper suggests that with a control it's not too scary to default to shown.
> this paper suggests that with a control it's not too scary to default to shown.
I’d rather have password masking be the default everywhere.
Consider for example lecturers using the computer in a room full of people, prominently displaying their screen on the projector for all to see. Or anyone in a business meeting for that matter, using a projector or sharing their screen through teleconferencing.
If you are fast at typing you could type out a lot of your password before catching the fact that everyone is seeing your password.
And if you are a hunt-and-peck typist you might be slow but you might also be looking at the keyboard the whole time as you are typing out your password, and therefore not catch the fact that everyone is seeing your password.
It took me a long time to jump on the password manager bandwagon, but one of the big positives IMO is that I almost never need to type or see my password to enter it correctly - precisely for the reasons you mention. I do occasionally need to see if I made a typo or I don't need the privacy but as you say - it shouldn't be the default.
What's wrong with doing research on something everyone "already knows"? There's always a chance of finding something unexpected, and even if you get the predictable result, people can use your study to argue against really bad ideas.
> but look around next time you go out there are cameras _everywhere_
> You may not think those cameras matter, but let's be honest, many people have access to the data feed through those cameras. From the near-minimum-wage "security" guard (or loss prevention) employee to the corporate security teams storing the backed up footage.
yeah, this is a thought that has crossed my mind a lot the last couple years, and i find it really unnerving. i now consciously try to keep my typing out of the sight line of cameras, though i don't always remember to do that, and i'm sure there are tons of cameras i don't notice.
The real problem here is that on-screen mobile keyboards are an atrocious input method compared to a real physical keyboard, in general, but in particular for passwords, where you are typically changing case and adding special characters.
> How often is someone looking over your shoulder when you type a password?
When I'm in the privacy of my own home? Rarely. When I'm using a mobile device (arguably where "unmasking" provides the most usability improvement) in public? All the time. No, random strangers are most likely not paying attention to your phone, but look around next time you go out there are cameras _everywhere_.
Even the helpful mobile keyboard feature that shows you the last entered character is a risk. Not to mention merely watching the interaction with the onscreen keyboard. However, both of those require a moderate amount of attention, versus just prominently displaying the full password unobstructed all at once on the screen.
You may not think those cameras matter, but let's be honest, many people have access to the data feed through those cameras. From the near-minimum-wage "security" guard (or loss prevention) employee to the corporate security teams storing the backed up footage.
Logging into your Hacker News account may present a low risk, but certainly, this could be catastrophic when logging into your bank account. It's one of the less acknowledged benefits of fingerprint readers and password managers (combined). Unmasking that password entered by the password manager would defeat this entirely.
Let it be an option, but don't do this by default.