I have always been annoyed by the fact that products don’t display my password and replace it by ******* instead, when I enter it.
The rationale behind this; ensure no one else can see your password while you are using the product. Since a password is a measure of “security” to protect your data it must not be inadvertently exposed to others.
It has long been known by the UX community that this is actually not true. With safety and security, more can be less
"The ever-increasing burden of security, authentication, and identification
But there is a paradox: the more thorough the demands of security, the less secure the result. Why? Because when the demands of security get in the way of doing our jobs, we find ways around them. We write passwords on paper, hiding them in insecure locations. We prop open doors, make copies of sensitive material – all because we are dedicated to getting the job done. Thus, the honest workers can undermine the entire security apparatus. " Donald Norman
Passwords actually don’t protect data – they most often create the context for a serious breach in security because they do not cater to human cognitive skills.
Passwords – and all the codes we need to remember in our modern lives – are not real protection because they do not take into account people’s limited cognitive skills in memorizing meaningless sequences of data points.
We are the best species on this planet to remember meaningful – structured – information; we are just not good at remembering meaningless ones. Most likely because this cognitive skill – remembering meaningless information - was has not required by our species to adapt to and survive in our environment.
Who knows this may change if passwords stay around long enough ;-)
Humans are great at finding workarounds when asked to perform meaningless tasks - like remembering arbitrary information.
For example we try to use our partner’s name or pet’s name instead of Erty098Zut as a meaningful unit of information easily remembered.
Having realized this, “Security experts” - to make things even more complicated - do not allow us to use meaningful sequences and require that we always include capital letters and numeric data to make the exact password even more difficult to decipher – and of course remember.
To make things even worse, they also require us to change passwords frequently enough so that if we did spend the energy to remember it, it will soon become useless.
Humans always find creative ways to adapt. So, they often write the code on a post-it note – or somewhere easily accessible – so that they can refer back to it when needed. This of course makes the password even more easily discoverable by ill intended people and completely negates the original intention.
Biometrics will probably solve this issue when it finally becomes generalized but in the meantime we will all suffer from “passworitis”.
There is a temporary “solution” that addresses our cognitive ability and ensures we do not need to “expose” our passwords inadvertently in our wallet or computer screen: the [secret question]. This is an attempt at trying to put meaning back into the process and allow users to revert back to a memorable word to receive their password when forgotten.
