Is type='password' Really Necessary on Mobile Sites?

Published
by
Dennis Bournique
on May 22, 2008
in Usability Tips
. 10 Comments

Bloglines Mobile loginThe html input tag is what's used to display a text box on a Web page. Input has an optional type parameter. Specifying type="password" causes characters to be masked, asterisk is displayed instead of the character typed. It's standard practice on the "big" web to to use type="password" on any field where the user enters a password or PIN.

This practice has been carried over to the mobile Web were I think it hurts usability while doing little or nothing to enhance security.

Of course, security on the web is real concern. Phishing and identity theft are constantly in the news. For eCommerce and banking sites I'm willing to put up with a little inconvenience in the name of security. But does masking the password of, say, an online RSS reader really make us any safer? What's the worst that can happen, someone marking all our feeds as read?

Phones have small screens and correspondingly small fonts. It's hard to read a mobile screen from a distance of more than a couple of feet. If your worried about password theft, you can usually turn away from onlookers or shield the screen with your hand while entering your password. I think there is a far greater likelihood of a bad guy stealing you password by watching which keys you are pressing than by reading the screen.

Mobiles generally show you the actual character for a fraction of a second before it changes to an asterisk but It's still hard to accurately triple tap passwords on a phone. It's especially difficult if you use "strong" passwords with a mix of upper and lower case letters, digits and symbols.

What do you think, do masked password fields on mobile web pages actually enhance security? And even if they do in some small way are they worth the cost in usability; especially on sites where there's no risk of financial loss?

InMobi - Global Mobile Ad Network

10 Responses to “Is type='password' Really Necessary on Mobile Sites?”

  1. Greg Harris says:
    May 30, 2008 at 8:24 am
    Whenever I build a mobile site that needs a password, I use a 4 digit PIN. The only thing more annoying than typing out a word on a feature phone, is doing it with asterisks.

    If a 4 digit PIN is good enough for my bank account and a public ATM, then it's good enough for a mobile phone. Less chance of someone seeing that then an ATM keypad or screen.

    I set the field to digits only, and log on is quick and simple.

    As for finding other ways Luca, you and I know quite well that there's an issue there. If all the carriers in the world want to pass a unique ID, I'm all for it. It would make our tracking through Mobilytics much easier as well. Other than that, we're still dealing with hundreds of different browsers and non-standard capabilities.

    Greg Harris
    Reply
  2. PAS says:
    May 28, 2008 at 10:03 am
    It doesn't matter. What matters is that throughout your website, you must be consistent. Some handsets will change the input mode if they encounter type='password'. So once you have made the decision to use password or text, make sure you do the same thing everywhere.
    Reply
  3. pedro bachiega says:
    May 23, 2008 at 6:06 pm
    I really think that is unnecessary...
    but, I already saw people that think that writing at passwords fields with *** is more safe...
    I agree with teroff ideas, it's depends on the situations and the people who are using.
    Reply
  4. james says:
    May 23, 2008 at 9:28 am
    Love these posts that go into the real nitty gritty of mobile usability ... logging in on mobile sites is a real issue as it is such a pain. Agree that showing the password instead of **** would be a step forward but is it enough? Should we focus on alphanumeric passwords for mobile or something?
    Reply
  5. David Harper says:
    May 23, 2008 at 6:20 am
    ...we were just discussing this internally the other day Dennis. Thanks for bringing it up you and Luca helped me to push the vote in favor of removing password masking. :)
    Reply
  6. Luca Passani says:
    May 23, 2008 at 2:52 am
    I'll get the ball rolling by providing my opinion.

    According to the GAP mobile development guidelines (which are better than the W3C BP committee-designed nonsense), developers should ask themselves whether the security requirements for their applications are really so strict that making the password hard to read isn't punishing the legitimate users too.

    There is a GAP rule called NO_PASSWORD_MASK that reads:

    ---------
    Do not use password masks
    Reading what is on the screen of a mobile device is often hard enough for the user of the device. Peeking over the shoulder of the user is less likely to disclose a password than observing the user's keypress sequence.
    For this reason, hiding user input to users themselves by replacing each character with a '*' (star) symbol (or similar) will do very little to protect privacy, while making it generally harder to use the service. For this reason, users should be made enter passwords in clear text.
    This practice does not detract from the aforementioned practice to avoid login and find alternative ways to identify users.

    Caveat: In case of highly sensitive application (such as 'Net Banking'), security requirements may force you to overlook this practice. For example, some users may perceive the lack of password obfuscation as a sign of slack security practices.
    ---------

    if someone disagrees with this, please let me know: happy to discuss

    Luca
    Reply
  7. teroff says:
    May 23, 2008 at 1:07 am
    Hello, first of all, thank you for this site. It's really interesting and helpfull blog.

    If we say about password on mobile web portals, and using type="password", I would say: "It depends..." It depends on the situation and on the people who using this mobile portal.

    And I think that Pohones must have one cpecial function wich will be on of off using type="password"

    P.S. Sorry for my English, I've just learned
    Reply
  8. Miron says:
    May 23, 2008 at 12:03 am
    You make a good point that I'm sure most people overlook because, as you've mentioned, it's almost customary to use this convention.

    I think it's definately NOT worth the cost in usability - especially with phones that don't support full qwerty...

    The only issue I see though is the concept of 'One Web'.
    Reply

Leave a Reply