HalfMask is an experimental approach to masking on password fields. Currently the standard shows bullets or asterisks to hide a user’s password completely as they type. Halfmask avoids this by obscuring the password with semi-visible random characters in the background. The intent is to only allow the user who typed the password to easily read it.
Update: If you find HalfMask interesting, you may want to check out our newer experiment, HashMask.
Demo
Why?
There’s been a lot of buzz in the tubes lately about password masking being A Bad Thing, specifically brought on by Jakob Nielsen’s AlertBox article, Stop Password Masking. To be frank, I couldn’t disagree more with this. I think showing clear passwords would be a huge mistake, despite the obvious usability gains. But I’m all about compromise, so HalfMask is an attempt to meet Jakob halfway.
I’m not suggesting that this is the best way to mask passwords. I am just hoping to get the community thinking about different approaches by exploring one approach.
How does it work?
HalfMask is a jQuery plugin that will obscure a password field with random characters. The intent is that to a casual observer the field will be unreadable at a glance, but the user inputting the text will be able to read it relatively clearly as they only need to confirm what they input, not read it fresh.
In this way, it is usable enough, by being visible to the author, but not too usable, in that shoulder surfers shouldn’t be able to read it. It also degrades gracefully so that users without javascript or with a poor browser (IE6) will still see a password field.
Can I use it?
Well sure, but I can’t recommend using this in any critical software. It should work in Firefox 3, Safari 3 and IE7. It’s available here, as well as on google code.
Download
Click on the icon to go to the download directory at google code:
Additionally, you may view the source directly in google code.
License
HalfMask is released under the BSD license.
Known Issues
There are a few known issues with this approach:
- Text becomes nearly impossible to read at small fonts.
- Password fields are still vulnerable to cameras/recording.
- Colorblind people may have a harder time reading the correct text.
These are issues which readers are welcome to solve with their own approach or with modifications to this one!
Discuss
Please offer feedback on the Arc90 Blog, or email me, Chris Dary, at chrisd@arc90.com.