Stefan Ullrich's jQuery plugin on the DECAF site provides a behavior for masking passwords that is familiar to mobile users. The plugin obscures previously entered characters at delayed intervals or when new characters are entered. It falls back on using the browser's password masking when JS is disabled.
Isn't this risky?
Wouldn't be if, for instance, you made it an option that was only available when you click a checkbox or something. I would tend not to use it as is, but would modify it. Is probably the least secure option because people can see what you type over your shoulder.
If you have a thieving head sewn on to your shoulder it is very risky.
@Anonymous. I would suggest rear vision spy glasses in that case.
If it isn't broken why fix it? Password masking works just fine.
If you are going to have something like this then it should be opt in. On the mobile it is very hard for people to snoop what is appearing. On a monitor it really isn't.
If you make this opt in then you may as well have an unmask button. Far more user friendly.
I think an "unmask" button is the only way to go for a general solution.
For a "looking over the shoulder" scenario: how often do you find yourself logging into sites in meeting rooms with projector screens? (I do, frequently.) How would you feel about unmasked passwords -- or the iPhone approach -- then?
Comments