Estimated reading time: 3 minutes, 54 seconds
The password field is a lie.
Millions of people struggle with letters rendered into dots because they believe that it means “security”. The reality is that the password field is merely obfuscated plaintext. It does nothing to enhance security, except for the unlikely proposition of someone looking directly over your shoulder as you type. The password field has nothing to do with encryption, and using it is more likely to cause security and usability issues:
- Users who struggle with entering letters as dots are more likely to choose simpler, easier to type passwords, making them easier to crack on the backend (which is a far more likely scenario than someone reading the password over their shoulder).
- Obfuscated text conceals repeated typos, leading to user frustration and abandonment.
- Obscured text is particularly hard to enter on mobile devices.
Despite all of this, users have been trained over two decades to associate “starred” text with “security”, and will likely feel uncomfortable when presented with a plaintext password, despite the fact that it is actually a more secure option in most situations. How do we habituate users away from this piece of security theatre?