Do you think this is a security risk and if not is it a bad UI decision?

Michael Scherer misc at
Sat May 4 09:37:02 UTC 2013

Le vendredi 03 mai 2013 à 23:24 -0500, Eric Sandeen a écrit :

> What is the downside to defaulting to a hidden PW, with an opt-in mechanism to
> display the password as it's typed?  The downsides of defaulting to cleartext have
> been noted, and to me are quite self-explanatory.

First, we need to see  why the input default to visible.

The discussion about it have been going since a few years in usability
circles when Jakob Nielsen proposed it :

and I think that even Bruce Schneier have gave his opinion in favor of
the proposal :

I can add to that that I have seen more than once people setting a
password which was not the one they believed due to  :
- keyboard layout ( ie, qwerty vs azerty in France ) 
- small usage difference with Windows way, again on azerty keyboard
( people using capslock on french keyboard to type numbers while they
should use shift, as capslock just type capital letter like À or É and
not 0 or 2, and if you do not understand, just look on the web to
compare how different it is from qwerty-based keyboard )

Or I could also speak of the small non standard keyboard such as macbook
one where ~ or | are not printed and where using the wrong keyboard
could result in wrong characters if you are unaware of the problem.

Or what about the people where the ASCII ( or ASCII related ) chars are
not the norm, and people are forced to use it for the password despite
sometime being less familiar with it ( ie, china, japanese, india ) ?

I think we can agree there is a few problems to solve here, and showing
the password ( I think ) help to solve them ( or at least minimize the
time spent on figuring what is wrong ). 

But the discussion is not about that, even if I think the rational
around the defaults. 
Showing by default will help people who are less familiar, hidden by
default will satisfy people who think that's a security issue.

Hidden by default and showing it on demand is likely to still be a
hindrance to people who may not know they type their password wrong
( because I think most assume that it will work fine, we are not to a
point where people assume by default this will fail ).

So what about hiding on demand, and having it visible by default ? This
way, people who prefer to have it hidden will be happy, and we are still
friendly to non technical users.

( and then the discussion is around the mechanism to hide the password,
between "reduce visual clutter" and "have a explicit checkbox" )

Michael Scherer

More information about the devel mailing list