Forgive me if I'm repeating a point that has been raised before... When considering whether to mask a password I think it's important to remember that there are other situations in which the password can be made to appear other than it being typed in character-by-character.
The most common case (which I'm dealing with now) is the situation in which the user's browser has been told to remember the password. This is a default feature in at least IE and Firefox and probably exists in other browsers. In cases where the browser's auto-complete features are turned on (also easy to do) a single keystroke in the username field can pre-fill a remembered ID and password. The question, then, is slightly different - under what situations could someone other than the intended user be in a position to type that keystroke and thereby potentially see an unmasked password? If the computer is always only used by one person then it's a moot question. In the real world, though, there are often other people who may be at the controls - a babysitter or party guest (at home), a coworker or temp (in an office) - and I'm sure you can think of other cases. In these situations the point of masking the password is to conceal it not from the hypothetical shoulder-surfer (a case I would consider rare) but from every other person who might use the same browser. That seems to be a much larger set of people. Once again half-masking may provide a solution. A password brought up by one of these indirect routes could appear fully masked independently of the way it's shown during the process of entry. My $0.02 anyway... --Alan ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [email protected] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help
