The $16 Billion Dots

Felix Salmon picks up today on the computer security paper by Cormac Herley of Microsoft that I wrote about a few weeks ago, and after quoting Herley’s estimate that one wasted minute per day among online users comes to $16 billion per year, says:

I think it’s reasonable to assume that the idiotic practice of masking passwords by turning them into dots takes up a good minute of people’s time each day, and saves much less than $16 billion a year if it saves anything at all.

That took me aback. I’d never even considered the thought that password masking might be a bad idea. Felix links to an Alertbox column by Jakob Nielsen which suggests that (a) password masking causes more errors and prompts users to choose simple passwords and (b) usually no one is looking over your shoulder anyway so it doesn’t do any good. Maybe for banking sites it’s OK, but we should skip it everywhere else.

I guess I’m not sure about this. The great divide in computing these days isn’t between PC and Mac users (spare me, please), it’s between the deskbound and the mobile. The problem is that password masking cuts both ways. I’m deskbound myself, which means that it really is true that no one is ever looking over my shoulder. On the other hand, it also largely means that password masking doesn’t cause me any problems.1 Conversely, if I were mobile I might make more mistakes typing in my passwords, but then again, there’s also a greater chance that someone really might be looking over my shoulder.

I guess my feeling is that password masking probably doesn’t provide a ton of protection, but then again, I don’t really believe it costs $16 billion a year either. Trying to do cost accounting on tiny snippets of personal time is a mug’s game, and kind of a dumb one even if I’ve been known to do it myself from time to time.

But I dunno. Maybe password masking causes more problems than I think. What says the hive mind?

1Though in an office, even the deskbound ought to be careful. Coworkers are probably more likely to try and steal a password than some random guy in a bus station.