Do We Need To Hide Passwords?
Hiding passwords on web forms and other computer applications have become a de facto standard practice. But, do we really need to hide passwords?
Perhaps you remember when web forms had the notorious Reset button: I guess some sadistic programmer came up with the idea that after you spend minutes painfully filling a form you would like to clear it completely. Fortunately the Reset button rarely appears nowadays. Hiding passwords is a practice that also needs to be updated.
The logic for hiding passwords is that you want to prevent others from looking over your shoulder to read it. However, a skilled thief will be able to get it anyway just by looking at your fingers while you type.
The downside of hiding passwords is that users make more frequent mistakes because they can't read what they are typing. And since most systems lock users out after a number of failed login attempts, users are more nervous and feel less confident.
This situation causes two security problems: the first one is that users tend to use simple passwords that provide very little protection or use the same password in different systems, and the second is that users keep lists of password from where they copy and paste.
Our recommendation is to add a "Hide/Show Password" switch that users can change as they want. Whenever they feel safe that nobody is looking at the screen they can show the password and confidently type it. If they are in a public environment where others can see their screen they can hide the password for extra security.