[Mike Lewis]

Thanks for posting this, Stuart.

I totally agree with Neilsen. I have had this view for a long time, but have never said anything publicly for fear of being regarded as being lax on security (which I'm not).

Obvioiusly, there are situations where masked passwords are essential: public computers in Internet cafes and libraries; computers in busy offices or sited near external windows; etc.

But there are also many more cases where there is no risk of anyone seeing the password on the screen, or where users can easily take steps to avoid being overlooked. In those cases, a masked password is a nuisance.

The most ridiculous example I know is on my iPod Touch. This is a tiny device that can be held in one hand. It's the easiest thing in the world to hold it close to your body so that no-one can see the screen. In fact, it's more difficult to show the screen to someone than to hide it. And yet it forces you to type passwords on its minuscule touch keyboard with no way of checking that the password is correct.

Another stupid example is in software for administering databases, servers and the like. In SQL Server, for example, there is a feature to allow an administrator to manage passwords. But at no time is the password actually visible. You can never check that the user has been given the correct password, or whether the password is easily guessable, because nobody can ever see it. This is even more ridiculous given that this feature is normally only used by privilged administrators working in their own offices, away from public gaze.

In my own applications, I have adopted a different approach. For user login screens, I do mask the password. But for password admin functions, I default to showing it in clear. But I include a "hide password" checkbox for the benefit of users working in a public area (or those who can't cope with the idea of a password that's not a string of asterisks).

Be interesting to hear what others think.

Mike