The Password Paradox

Protecting passwords and usability at the same time

Password masking is the age old design pattern of hiding the password characters behind bullets (●) and asterisks (*). It’s been around so long that we don’t think about how much headache comes from its usability issues.



The idea behind masking is to prevent nearby observers from reading the password “over the user’s shoulder” and then stealing it.

But the small security advantage of detouring the mysteriously rare shoulder surfers doesn’t outweigh the user experience disadvantages of masking.

What’s wrong with password masking?

  1. Accuracy suffers. Users will make more mistakes when they can’t see what they are typing. This is especially true for more complex passwords that require capital and lower case letters with numbers and punctuation.
  2. The average person authenticates a password 15 times in a work day. 82% of people have forgotten a website password.
  3. Users can’t check their password input, therefore can’t correct any errors.
  4. Password masking doesn’t prevent attacks from key loggers or malware.
  5. 75% of people who forget their password on an e-commerce site won’t complete the purchase.

Should we get rid of password masking?

Not so fast…

A study was conducted to test the effects or removing password masking for users:

80% were not expecting to see the password as clear text. Since users are so used to seeing their passwords masked, they thought that:

  1. A mistake had been made when building the website.
  2. Hackers had circumvented the website’s security.
  3. The site can’t be trusted and might have other technical problems.


Identified that not hiding
the characters increased usability.



Said they had become
suspicious of the site.


Solution: Give Users the option.

When users were offered the option of masked or unmasked passwords on a login screen, the concept was identified as a feature and not an error.

Users appreciated the benefit of clear text with the option of secure password masking. The presence of a check box to turn masking on and off assured users that the change in convention was by design.

100% Of participants noticed the “Show Password” option and understood the interaction.

Luke Wroblewski, Showing Passwords on Log-In Screens



  1. Clear text passwords do increase usability, but don’t force the change on existing users.
  2. Password masking is best offered as an option to maintain user trust in the site.
  3. Touch ID will make this article almost completely irrelevant in a few years.