We all know and love the password inputbox. It hides all the characters you type with stars, and encrypts the contents stored in memory. It’s about the only constant in the potpourri of user registration pages. It’s the part no site ever gets wrong – use a password inputbox when asking the user for their password. But what function does it serve? It’s simple:
To hide your password from bystanders, innocent or otherwise.
That’s the one and only reason why we obscure the characters with stars. That co-worker sitting next to you, or the coffee-lady casually walking by, if it weren’t for the trusty password field they could have spotted and accidentally memorized your password while you’re entering it. It’s a great solution to a very real problem.
All this is common knowledge, of course. So why am I repeating it? Because surprisingly, for most sites it’s redundant. All the websites out there that send your password by email, or show it when you’ve clicked the “activate account”-link are nullifying the sole reason of existence for the password field.
Since the user’s password is displayed on the screen in an e-mail, that coffee-lady can look at the password anyway. Worse: oft-times the user doesn’t know what’s coming when opening the mail or clicking the activation-link. He can’t pre-emptively check if anyone is in his vicinity before unknowingly revealing the password on his screen, which is an option when entering the password in a regular inputbox.
The conclusion is simple: if you think you can send the user his password by mail or show it in clear text on his profile, stop using the password inputbox. It won’t increase the level of security. By then, it only serves to annoy the user who has to enter his password blindly, twice even, possibly making an error along the way and having to try again. It’ll also tell the user the real degree of security you’re using, instead of fooling him with the asterisks.
The real conclusion is of course to never show the password in cleartext, anywhere