Оказывается, маскирование не улучшает положение с безопасностью, а лишь наносит ущерб бизнесу из-за ошибок логина.
Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users' shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers.
More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.
When you make it hard for users to enter passwords you create two problems — one of which actually lowers security:
- Users make more errors when they can't see what they're typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)
- The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.
Что же делать? А вот:
It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. ...
Весь мир насилья мы разрушим. До основанья, а затем...
Password masking has become common for no reasons other than (a) it's easy to do, and (b) it was the default in the Web's early days. In this respect, it's similar to another usability problem — having Reset buttons on forms, which is also something that should die.
But password masking and Reset buttons are not something users actively seek out. Losing these features won't cause confusion, nor will their replacements: the new features will simply be clear text (in the first case) and a blank area where the destroy-my-work button used to be (in the second).
Let's clean up the Web's cobwebs and remove stuff that's there only because it's always been there.
(in toto)
Комментариев нет:
Отправить комментарий