Security question: plain text entry or masked?

23 Jul 2009 - 11:38am
5 years ago
11 replies
1099 reads
Anthony Hempell
2007

Hi all,

I'm reviewing an account creation page that contains username,
password, confirm password, a drop-down selection for security
question and a plaintext box for entering the security answer.

It's my gut feeling that the "security answer" box should also be
masked just like the password entries, although this would then
require another confirmation box. A quick Google on the subject did
not turn up any definitive answers so I turn it over to the wisdom of
the list...

thanks
Anthony

Comments

23 Jul 2009 - 12:48pm
Severin Brettmeister
2009

Hi Anthony,

have a look at http://www.useit.com/alertbox/passwords.html.

I'm still thinking about it and have my doubts about different platforms, habits and so on...

All the best,
Severin

23 Jul 2009 - 1:32pm
William Hudson
2009

Anthony -

Not a definitive answer but in the vast majority of sites I have seen,
the security answer is in plain view. I think you're right, that if it
were going to be masked, it needs a confirmation. But then the whole
process is becoming decidedly painful.

You didn't mention email address and maybe it isn't relevant, but I
would definitely ask for a confirmation of that if you haven't already.
(Otherwise, a simple mistyping is the end of the story!)

Regards,

William Hudson
Syntagm Ltd
Design for Usability
UK 01235-522859
World +44-1235-522859
US Toll Free 1-866-SYNTAGM
mailto:william.hudson at syntagm.co.uk
http://www.syntagm.co.uk
skype:williamhudsonskype

Syntagm is a limited company registered in England and Wales (1985).
Registered number: 1895345. Registered office: 10 Oxford Road, Abingdon
OX14 2DS.

Confused about dates in interaction design? See our new study (free):
http://www.syntagm.co.uk/design/datesstudy.htm

12 UK mobile phone e-commerce sites compared! Buy the report:
http://www.syntagm.co.uk/design/uxbench.shtml

Courses in card sorting and Ajax interaction design. London, Las Vegas
and Berlin:
http://www.syntagm.co.uk/design/csadvances.shtml
http://www.syntagm.co.uk/design/ajaxdesign.shtml

-----Original Message-----
From: new-bounces at ixda.org [mailto:new-bounces at ixda.org] On Behalf Of
Anthony Hempell
Sent: 23 July 2009 10:38
To: discuss at ixda.org
Subject: [IxDA Discuss] Security question: plain text entry or masked?
...

23 Jul 2009 - 1:54pm
Caroline Jarrett
2007

There's been quite a lot of chat in the blogosphere about password marking
(generically) since Jakob Nielsen published an alertbox against it:
http://www.useit.com/alertbox/passwords.html

and then Bruce Schneier, who gave him some security advice, somewhat
recanted:
http://www.schneier.com/blog/archives/2009/06/the_problem_wit_2.html

I'm not yet seeing convincing evidence from user research that inclines me
to one view or the other.

Jakob's piece talks about mobile, in particular, and there are certainly
major issues in trying to put an accurate password into a mobile device. To
give just a few factors: inadequate keyboards, small screens, awkward
contexts, possibility of being overlooked.

What I'm not yet seeing is much consideration of what I call 'relationship'
issues. In this area, those would include the reason why the user is
creating/entering the password, the relative importance of this security
compared to the value of what lies behind it, and so on.

So coming back to your question: what sort of account is being created? Are
users likely to be feeling especially sensitive for any reason about the
personal information or whatever they will divulge to the account? Or
especially casual? Are they likely to be shoulder-surfed? Or using a mobile?
What do they expect to happen on a site of this nature?

Broadly, the plain text echoing is likely to be reassuring for a mid-to-low
importance site that is used in (mostly) private circumstances.

If it's a high-security site or is likely to be used in public
circumstances, then keep as much private (i.e. masked) as you can.

And try to get some users' views on the matter, preferably by getting them
to try a prototype.

Best

Caroline Jarrett
"Forms that work: Designing web forms for usability" www.formsthatwork.com

Effortmark Ltd
Usability - Forms - Content

Phone: 01525 370 379
Mobile: 0799 057 0647
International: +44 152 537 0379

16 Heath Road
Leighton Buzzard
Bedfordshire
LU7 3AB
UK

23 Jul 2009 - 5:40pm
Anthony Hempell
2007

Thanks Caroline.

This is for creation of an online account at a major NA wireless
provider. The account would contain most of that person's personal
information, so I consider it high security, perhaps just below that
required for online banking.

Since it is for a wireless provider, there's a good chance they may be
using a mobile device to enter this information.

My gut reaction was that b/c of the sensitive nature of the personal
information, my expectation was that this info would be masked.

Anthony

On 23-Jul-09, at 11:54 AM, Caroline Jarrett wrote:

> There's been quite a lot of chat in the blogosphere about password
> marking
> (generically) since Jakob Nielsen published an alertbox against it:
> http://www.useit.com/alertbox/passwords.html
>
> and then Bruce Schneier, who gave him some security advice, somewhat
> recanted:
> http://www.schneier.com/blog/archives/2009/06/the_problem_wit_2.html
>
> I'm not yet seeing convincing evidence from user research that
> inclines me
> to one view or the other.
>
> Jakob's piece talks about mobile, in particular, and there are
> certainly
> major issues in trying to put an accurate password into a mobile
> device. To
> give just a few factors: inadequate keyboards, small screens, awkward
> contexts, possibility of being overlooked.
>
> What I'm not yet seeing is much consideration of what I call
> 'relationship'
> issues. In this area, those would include the reason why the user is
> creating/entering the password, the relative importance of this
> security
> compared to the value of what lies behind it, and so on.
>
> So coming back to your question: what sort of account is being
> created? Are
> users likely to be feeling especially sensitive for any reason about
> the
> personal information or whatever they will divulge to the account? Or
> especially casual? Are they likely to be shoulder-surfed? Or using a
> mobile?
> What do they expect to happen on a site of this nature?
>
> Broadly, the plain text echoing is likely to be reassuring for a mid-
> to-low
> importance site that is used in (mostly) private circumstances.
>
> If it's a high-security site or is likely to be used in public
> circumstances, then keep as much private (i.e. masked) as you can.
>
> And try to get some users' views on the matter, preferably by
> getting them
> to try a prototype.
>
> Best
>
> Caroline Jarrett
> "Forms that work: Designing web forms for usability" www.formsthatwork.com
>
> Effortmark Ltd
> Usability - Forms - Content
>
> Phone: 01525 370 379
> Mobile: 0799 057 0647
> International: +44 152 537 0379
>
> 16 Heath Road
> Leighton Buzzard
> Bedfordshire
> LU7 3AB
> UK
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help

-------------- next part --------------
A non-text attachment was scrubbed...
Name: email_sig.jpg
Type: image/jpeg
Size: 10984 bytes
Desc: not available
URL: <http://lists.interactiondesigners.com/pipermail/discuss-interactiondesigners.com/attachments/20090723/fb2e5569/attachment.jpg>
-------------- next part --------------

23 Jul 2009 - 7:09pm
Sachin Saxena
2009

One more thing that you may like to consider is the cost.

Recently, I've gone through some articles which advocates that even the password should not be masked or there should be an option to unmask(upon user%u2019s discretion) if required. The reason behind is the cost associated along with the other reasons mentioned in the http://www.useit.com/alertbox/passwords.html. The volume of calls that are received by the support staff to reset the password is huge.

If you are going to mask the security answers as well than it could relatively increase that cost.
Secondly, talking about different platforms such as mobile/PDA devices which are more personal this would simply be an overhead.

All the best.
Sachin

23 Jul 2009 - 8:37pm
Adam Korman
2004

Another take on this is to consider who can see this info after it's
entered. Is it used only for me to confirm my identity online, or are
the answers to these security questions viewable by any random
customer service rep who looks up my account? Part of the expectation
that's created by masking a password field is that the password will
remain private and secure -- that no one can actually see it. So,
masking the field might create a false expectation of privacy and
security that could be dashed later if someone contacts your company
by phone and finds out that just about anyone at your company has
access to their* sensitive info.

And as for online banking -- I have accounts with several financial
institutions that use these kinds of security questions. They all show
these fields in plain text.

Regards, Adam

* Or should I say "his/her"?

On Jul 23, 2009, at 3:40 PM, Anthony Hempell wrote:

> This is for creation of an online account at a major NA wireless
> provider. The account would contain most of that person's personal
> information, so I consider it high security, perhaps just below that
> required for online banking.
>
> Since it is for a wireless provider, there's a good chance they may
> be using a mobile device to enter this information.
>
> My gut reaction was that b/c of the sensitive nature of the personal
> information, my expectation was that this info would be masked.

23 Jul 2009 - 8:43pm
Jussi Pasanen
2009

Hi Anthony,

One thing to keep in mind is that the security answer can be considerably longer than a standard password, for example consider the response to "What is the name of the first school you attended?" The longer the entry the more difficult it is for users to get it right when the input field is masked.

I'm with Sachin in that you will need to consider the cost associated with whatever design you choose for the signup page. This may sound a touch radical, but have you considered whether you need Security Question and Security Answer *at all*?

I feel Caroline's questions plus the cost aspect should give you good tools in working out the design rationale and the subsequent design for your signup page.

Good luck!

Cheers, Jussi

Ps. I recently posted an article titled "Design detail: An easier login form" that touches on the topic of password masking: http://www.volkside.com/2009/07/design-an-easier-login-form/

--
Jussi Pasanen - Volkside - http://www.volkside.com/contact/
Interaction and Information Design, User Experience and Usability

23 Jul 2009 - 11:56am
Anonymous

On the other hand, some say that even the passwords should not be
masked:

http://www.useit.com/alertbox/passwords.html

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=44039

23 Jul 2009 - 12:50pm
Ralf
2009

Hi Anthony

i would not recommend to mask the security question since this could
be really annoying to use in case of errors during entering.

Have you already read Jakob Nielsens latest post on masking
passwords?
http://www.useit.com/alertbox/passwords.html

A good alternative would be to mask passwords but make them readable
by showing a checkbox near to the field labelled "show password"
(which only works if the user has Javascript enabled).

Ciao
Ralf

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=44039

23 Jul 2009 - 10:17pm
Nancy Frishberg
2007

Wish I had the definitive response here. Instead I'll offer a
resource you may not have been aware of.

Last week's SOUPS papers may give you some further ideas of security
risks, user behavior related to security and privacy, and usability of
various security schemes. http://cups.cs.cmu.edu/soups/2009/

I assume you're also satisfying accessibility requirements.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=44039

24 Jul 2009 - 4:12am
PhillipW
2009

Of course the canny user will just type them out somewhere else and
copy and paste them in anyway...

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=44039

Syndicate content Get the feed