I’m currently taking care of an insurance claim for my in-laws and received an email from their insurer, Australian Pensioner’s Insurance Agency (APIA). This disclaimer made no sense to me, so I wonder what a pensioner would make of it. No wonder they are so scared of technology.
“The following message has been automatically added by the Internet mail gateway to comply with the Group’s Information Security requirements.
“This e-mail has arrived via the Internet, and therefore you should be cautious about its origin and content. Replies which contain sensitive information and / or legal/contractual obligations are particularly vulnerable.
In these cases you should not reply unless you are authorised to do so, and adequate encryption is employed.”
If you have any questions, please contact the IS Service Desk.”
In his Alertbox this week, Jakob Nielsen tells us to Stop Password Masking. He says “It’s time to show most passwords in clear text as users type them”. It’s not something that I’ve ever thought of and I like the thinking but I don’t agree with it.
Jakob bases his rationale on the fact that there is usually nobody looking over your shoulder when you log in so masking the password is only serves to increase the chance of user error. But what about the times when somebody is looking over your shoulder. What do you do then? Jakob says that you should add a checkbox to your login form so that people can choose whether to mask their password. I think this adds unnecessary weight to the login form – another thing for the user to consider when logging in.
What about the registration form? There’s usually nobody peering over your shoulder when you’re registering so it seems like a more reasonable place to display passwords in clear text. By doing so you could remove the need for the retype password field but I wonder how much of the username + password + retype password pattern users look for when scanning a registration page (that often also contains a login box).
It seems that Jakob’s thinking is based on things he’s observed while testing mobile devices. I agree that typing passwords on a mobile device can be tricky because of the small format keyboard but I wonder if it isn’t the responsibility of the operating system or hardware to solve that particular problem. The iPhone does a great job of both masking and displaying a password – but that’s done on the phone, not the website.
It’s a tricky one but the fact that I’ve never thought of it as a problem and have never observed or read about anyone actually complaining about it leads me to conclude that it ain’t broke so let’s not fix it.
What do you think?
