As we’re about to learn, being wise and making wise choices do not always go hand in hand.

Today’s comic imagines Jakob Nielsen and Bruce Schneier intentionally exposing themselves to danger in a gladiatorial arena (overlooked by a Caesar-esque Dave Shea) with the predictable results. Sadly, this scenario reflects reality (with a little editorial excess) in a way that shocks me.

Let’s lay out the recent events.

Jakob’s Suggestion: Let’s Unmask Passwords

On June 23rd Jakob Nielsen proved he’s not done making poor recommendations in the name of usability. This time the victim is not design, however. Instead, he firmly takes a swing at security by recommending that passwords become unmasked, leaving naked all the strange alphanumeric combinations that we strive mightily to remember every time we want to visit naughty sites, check our email or bid on a rare 1920′s lampshade online.

He makes some assertions while recommending this course of action. First, that people rarely look over shoulders. Second, that you’re alone in your office. Lastly, he names two “costs” that these cause, one being that users don’t trust sites that mask password fields and the second that masked fields result in weaker passwords. He ends this list of errors by suggesting we do away with the masking altogether, and dance widdershins under the stars in a deep forest clothed in naught but our own sweat.

For the sake of avoiding a stoning at the hands of security experts, he does make an offhand suggestion of offering a check box to allow masking for public situations, but this is said in an afterthought that shows how little he worries about such a trivial thing as someone with both curiosity and eyeballs noticing you typing things on your monitors.

Dave Shea’s Suggestion: Let’s Have A Smackdown

I might have spent my remaining years ignorant of his “suggestion” (might I take some liberties and call it a mad raving?) of tossing away one of the final barriers of security in exchange for a marginal increase in usability. However, Dave Shea took the impetus to make a comment about Jakob’s strange post on Twitter, for which I thank him.

He then followed with a comment replete with inspiring concepts: “A Bruce Schneier / Jakob Nielsen smackdown would be, frankly, awesome.”

It’s moments like this that I wait for, mouth watering with anticipation as I crawl through the many tweets and blog comments of the web design sphere of opinion. Immediately I imagined a savage competition between these two notables where Jakob’s naivety costs him in a contest against the security expert Schneier. These sort of daydreams translate easily into a comic, and furthermore align with something about which I found myself holding a strong opinion. This sort of conjunction almost always sends me scrabbling to my mad laboratory, where I harness arcane shapes into vector imagery and stamp it with the mad wisdom of the stars.

The Twist: Bruce Agrees With Jakob

However, it was only on July 26th that Bruce did something I don’t think Dave expected when he made his tweet, and certainly wasn’t in my realm of anticipation. He agreed with Jakob.

Thankfully, I was able to adapt this change of circumstance to my comic’s needs.

However, I’m not about to alter my opinion on the topic. Namely, that I think this suggestion is madness.

In short, it appears to me that Jakob and Bruce assume that exposed passwords are a non-issue because firstly criminals don’t hover over shoulders and secondly that privacy when surfing a website is a guarantee.

Problem #1: Enabling Criminals Of Convenience

Let’s cross out the consideration of serious hacker types for a moment. These aren’t the sort of individuals that need to see you typing your password to steal your stuff. They’ve got mad skills, and are probably busy right now taking your credit card information off a hard drive the U.S. Government accidentally sold to a spare parts reseller. But amateur no-gooders and opportunists need all the help they can get. They may not plan on stealing wi-fi access, but if they see you typing a password in the cafe they just might take advantage of it.

Unmasking the passwords by default creates a situation where Average Joes are given a lot more temptation to misuse the information they’re casually overseeing. We’re a curious, slightly selfish race. Give us the chance and we’ll be exploring things we shouldn’t. This is probably why emergency room doctors drink heavily after workdays involving gentlemen walking funny who whisper about the need for extreme secrecy when dealing with their medical “emergency”.

Problem #2: Privacy In The Home Is An Illusion

We’ll jump past the criminal concern, however, to look at the privacy issue. For the average American (and even more so for the average human) privacy isn’t a guarantee, and rarely exists when accessing a computer terminal. On the home front you often have spouses, siblings, parents and children all about as you log onto email accounts, purchase music via iTunes, check your bank account, or make a purchase for a pizza or a movie. Although I’ll pretend that maintaining privacy between spouses isn’t a concern (although I suspect it is) we all know that kids will be kids, and that some siblings are less than circumspect in respecting your stuff.

How would you like to come home only to discover you’ve spent $40 on purchasing a couple of Brittany Spears albums? How about learning someone (probably a young someone) bought access to an adult movie on the cable box with your account? I’m not saying that kids can’t get access to something with enough effort, but I think that it’s a big step in the wrong direction when you remove such a simple barrier to that access, and by doing so it requires no effort on their part to act on a poor decision.

Problem #3: Private Office? What Private Office?

So privacy in the home is an issue. What about the workplace? I have a great job. I don’t work in a cubicle farm. But many office workers do, and have hundreds of co-workers with easily five or six sitting in cubes across the aisle who can see their screens.

School teachers often have their computers in the classroom next to students. Should they trust all their pupils to respect their privacy and not try to access staff-only functions or answers to an upcoming test?

Furthermore, more and more people are accessing websites in non-traditional spaces. When you’re packed on a subway car with dozens of commuters and you need to access a site on your smart phone, do you want to have to decide if you can trust the people squeezed up next to you?

I could come up with dozens of other scenarios. Jakob is trying to cast his recommendation in the light of saving us from “legacy” design by implying that we live in an era where security won’t be risked by removing masking. Bruce seems to agree, stating that shoulder-surfing is an uncommon activity and that the risk is outweighed by the annoyance of typing blind.

The Root Of The Problem: Outdated Assumptions On Where Websites Are Accessed

I say that instead these two are making assumptions about website usage that are outdated. Computers are being used by younger children with more sophisticated skills. Websites are increasingly accessed more by other devices like smart phones, in non-private spaces with dozens of potential observers. Privacy is a vanishing commodity, so to presume that an average scenario doesn’t involve potential prying eyes is foolhardy and risky.

Jakob said the following: “Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)”

I’m going to call you out on this one, sir. That’s outright backwards. I feel less confident when I am entering a naked password in any environment, and strongly doubt the security of the site in question if required to do so. In fact, I’m likely to not use it at all. Why should I trust their other measures if they can’t even protect the password from passing eyes?

Perhaps username/password security truly need to be replaced by something both more secure and simpler to use. I’m not sure what that replacement technology should be. But I do know that we shouldn’t decide that usability trumps security and retrograde to exposing our passwords to John Q. Public.

No offense, John.

[Edit: Fixed the jump from #2 to #4 in the problem subtitles. Thanks, Elaine!]

What is the password anti-pattern? In short, it’s the behavior of teaching people that it is safe to enter their password information from one website on a different website. In the modern digital world of phishing attacks and identity theft, it’s a very dangerous habit to help people form.

How dangerous? Well, how attached are you to your personal information?

The specific issue that Jeremy is bringing up involves the “Twitter this” widget that Get Satisfaction has on their site. By entering your username and password for Twitter, you can re-tweet the topic or page that you’re located on for your Twitter followers to see.

The behavior may seem innocent enough on the surface to you all. After all, you’re initiating the tweeting that occurs, and Get Satisfaction has a certain reputation of trustworthiness. Also, what harm exists in giving out your Twitter info?

Well, there’s a number of issues. First, the folks at GS don’t need your login information in order to provide this function. There’s other ways to do it (Jeremy suggests one in his post on the topic). Secondly, some people have a tendency (bad though it may be) to recycle usernames and passwords, so their Twitter login may match their bank’s login, or something of equal importance. Lastly, behaviors can be habit-forming, and even if GS isn’t going to do anything harmful with your info, some other site later down the road might, so it’s very poor form to be teaching someone that it’s safe to do something that could cost them their identity or money.

So it shouldn’t be surprising that there’s a lot of developers out there like Jeremy that are against this bad practice. What is surprising in this case is that many of the Get Satisfaction employee responses to this issue was to push back against the suggestion that they change their approach? With arguments ranging from “we’re not full of thousands of developers” to “It’s just Twitter, not your bank,” many of them (granted, not all) seem to have missed the point altogether.

The anti-pattern is bad because it teaches bad behavior. Period. It helps form a habit that will eventually cost end-users their identity if they continue it. As a website devoted to user satisfaction, it is shocking that they wouldn’t grasp this concept and embrace it.

If you make a website, you have a responsibility to your users not to screw them, directly or indirectly, with this sort of design “feature.” Either work around it (as Jeremy Keith suggests to GS in this case), or eliminate the feature altogether if you can’t work without it. Our identities are getting increasingly digital as the seconds pass, and it’s sheer folly to be helping people commit virtual suicide.

After all, the road to Hell is paved with…