This article summarises the results from an academic study investigating the impact removing password masking has on consumer trust.
Results prove that unmasked passwords were unexpected by participants and when forced upon them a mixed result is gained. Some appreciate the usability benefits, whilst others believe there is an error on the site. This causes them to lose trust in the buying process.
However when participants are offered the choice of masked or unmasked passwords within the interface, participants identified the concept as a feature not an error. Participants identified the usability benefits of clear text passwords and the security benefits of masked passwords. When participants used this option, there was no impact to trust in the e-commerce website.
Password masking is a very common web design pattern. It involves a text field which accepts any character however doesn’t show the inputted character to the user. Instead it shows a bullet point. This concept is being utilised across the web in the aid of increasing security. You’ll find examples of it on pretty much any site which requires a user to login.
There are numerous usability problems:
For all this user inconvenience there are practically no security benefits at all:
Password masking is a legacy pattern that keeps being adopted without a moments thought.
Yet all it does is inconvenience people.
A plethora of usability experts agree that password masking isn’t good for anyone.
Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.
Read full article
Passwords on the Web have long been riddled with usability issues. From overly complex security requirements to difficult to use input fields, passwords frequently result in frustrated customers and lost business. Read full article
A qualitative research study to explore participants reactions to unmasked password input fields.
How does unmasking the password input filed impact on consumer trust in an e-commerce ticket website?
If password masking is related to trust then removing the password masking will reduce the levels of trust.
11 semi-structured interviews were utilised to understand participants general trusting levels. Participants were asked to think aloud as they used a sample ticket sales e-commerce website. The elements impacting on their trustworthiness of the website were mapped against the Model of Trust for E-Commerce (MoTEC).
Non-probability quota sampling was used to ensure that a healthy level of diversity across age, gender and Internet ability was achieved. All participants had purchased at least three products or services online in the last year and had previously purchased event tickets. Eleven participants were interviewed.
A general analytical procedure was utilised for appropriate handling of the data collected and enabled deriving of meaning.
Unmasked passwords were unexpected by participants and when forced upon them a mixed result is gained. Some appreciate the usability benefits, whilst others believe there is an error on the site. This causes them to loose trust in the buying process. Therefore a negative link between unmasked passwords and trust is found.
80%
were not expecting to see the password as clear text
There was a mixed result. Some indicated that it made no difference to their trust, whilst others said it made them suspicious of the site.
Reasons participants gave for concern:
"It just makes it easier, so you can see what you have put in... I much prefer having the letters written out so I can see them. ”
"I’ve seen it before on my tablet, sometimes it gives the option to show the passw”ord. But I've never seen it on a website."
"From trusting the site at first glance I have gone to not trusting it at all. If it was a mistake, they may have more mistakes in the buying process... I would probably not continue and definitely try to find the tickets on a different site."
"If I am using the site for the first time, it will definitely ring some bells and raise concerns about how secure my information is."
When offered the choice of masked or unmasked passwords within the interface, the concept was identified as a feature not an error. Participants appreciated the usability benefits of clear text passwords and the security benefits of masked passwords. When participants used this option their trustingness of the website was unaffected. (Note the password was unmasked by default)
100%
of participants noticed the checkbox and understood the interaction.
Instead of thinking there was an error with the site participants viewed the clear text password as a feature.
The presence of the tick box reassured them that the change in convention was by design. It also offered the ability to turn masking on and return to a convention they felt comfortable with.
"The fact that it is there gives me the chance to check what I have typed. It is helping me in my inability to do something simple"
"I think that is much better, as it shows they have thought about it"
"It is protecting me against somebody looking over my shoulder. It gives me a feeling that there is some form of protection in place"
Clear text passwords do increase usability, but don’t force the change upon your customers.
Offer it as an option and let them use it when they feel comfortable.
As for what you should set the default to. Well that’s another question...
Research conducted by Jack Holmes
Published 8th September 2014