HalfMask is an experimental approach to masking on password fields. Currently the standard shows bullets or asterisks to hide a user’s password completely as they type. Halfmask avoids this by obscuring the password with semi-visible random characters in the background. The intent is to only allow the user who typed the password to easily read it.
Update: If you find HalfMask interesting, you may want to check out our newer experiment, HashMask.
There’s been a lot of buzz in the tubes lately about password masking being A Bad Thing, specifically brought on by Jakob Nielsen’s AlertBox article, Stop Password Masking. To be frank, I couldn’t disagree more with this. I think showing clear passwords would be a huge mistake, despite the obvious usability gains. But I’m all about compromise, so HalfMask is an attempt to meet Jakob halfway.
I’m not suggesting that this is the best way to mask passwords. I am just hoping to get the community thinking about different approaches by exploring one approach.
How does it work?
HalfMask is a jQuery plugin that will obscure a password field with random characters. The intent is that to a casual observer the field will be unreadable at a glance, but the user inputting the text will be able to read it relatively clearly as they only need to confirm what they input, not read it fresh.
Can I use it?
Well sure, but I can’t recommend using this in any critical software. It should work in Firefox 3, Safari 3 and IE7. It’s available here, as well as on google code.
Click on the icon to go to the download directory at google code:
Additionally, you may view the source directly in google code.
HalfMask is released under the BSD license.
There are a few known issues with this approach:
- Text becomes nearly impossible to read at small fonts.
- Password fields are still vulnerable to cameras/recording.
- Colorblind people may have a harder time reading the correct text.
These are issues which readers are welcome to solve with their own approach or with modifications to this one!