The html input tag is what’s used to display a text box on a Web page. Input has an optional type parameter. Specifying
type="password" causes characters to be masked, an asterisk is displayed instead of the character typed. It’s standard practice on the “big” web to to use type=”password” on any field where the user enters a password or PIN.
This practice has been carried over to the mobile Web were I think it hurts usability while doing little or nothing to enhance security.
Of course, security on the web is real concern. Phishing and identity theft are constantly in the news. For eCommerce and banking sites I’m willing to put up with a little inconvenience in the name of security. But does masking the password of, say, an online RSS reader really make us any safer? What’s the worst that can happen, someone marking all our feeds as read?
Phones have small screens and correspondingly small fonts. It’s hard to read a mobile screen from a distance of more than a couple of feet. If your worried about password theft, you can usually turn away from onlookers or shield the screen with your hand while entering your password. I think there is a far greater likelihood of a bad guy stealing you password by watching which keys you are pressing than by reading the screen.
Mobiles generally show you the actual character for a fraction of a second before it changes to an asterisk but It’s still hard to accurately triple tap passwords on a phone. It’s especially difficult if you use “strong” passwords with a mix of upper and lower case letters, digits and symbols.
What do you think, do masked password fields on mobile web pages actually enhance security? And even if they do in some small way are they worth the cost in usability; especially on sites where there’s no risk of financial loss?