Franklin Delano Roosevelt, in his inaugural address as the 32th President of the United States, uttered his now famous phrase “The only thing we have to fear is fear itself.” How right he was.
He further identified his target as “nameless, unreasoning, unjustified terror.” He spoke early in 1933, during the darkest days of the American depression, when millions were out of work, no safety nets existed to help them, and there was no recovery in sight. What’s more, the specter of European Nazism, with its saber rattling, and strident, irrational racism, was waxing. In the face of these actual reasons to be afraid, Roosevelt fingered the real danger: irrational fear; fear for its own sake; being afraid simply because it’s easier than not being afraid.
Largely, the nation heeded Roosevelt’s admonition. We refused to succumb to fear, the economy recovered, we vanquished our foes, and emerged as the world leader for the rest of the 20th century.
Unfortunately, in the 21st century, we have quite failed Roosevelt. We have become a terrified nation and live in a culture of fear. We act afraid and we let baseless fear drive our choices. Mutual trust is the basis of civilization, and our nameless, unreasoning, unjustified terror is unraveling the fabric of our society.
You can see the telltale traces of our fear everywhere. Everything we buy comes with voluminous safety instructions exhaustively detailing how it all might conspire to hurt us. The panoply of products and services with which we surround ourselves collectively laugh at our foolish anxiety. Every product we own is plastered with scary warning labels exhorting us to not act like an imbecile or we might suffer.
All of our cars have utterly useless alarms on them. They go off accidentally and annoy entire neighborhoods, but they don’t deter professional car thieves.
Our roads are lined with warning signs telling us to be careful even though such signs not only don’t work, but are dangerously distracting.
Even though violent crime is way down our mass media over-hypes every crime into an epidemic, every mugging into a crime wave.
Our airport security strips us of all dignity while performing its useless charade of frightening cowardice.
But that isn’t what I want to talk about. I want to talk about passwords. More specifically, I want to talk about hiding passwords with asterisks when we have to enter them on websites.
Our software programs conceal our passwords with coy little asterisks and our trust in each other erodes. We begin to suspect our co-workers, fellow transit riders, and even our family members of trying to steal our identities. It is another palpable example of nameless, unreasoning, unjustified terror, and this one is right in the backyard of interaction designers.
I have no complaint against passwords. They are useful tools to protect our data and our online accounts. It’s just that software should not hide my passwords from me, and only in extremely rare cases does it need to hide them at all.
The only reason why passwords are hidden is because we have become a nation of terrified little mice, riddled with chickenhearted fear, suspicious of every innocent shadow. Every time a website conceals a password from the person who is entering it, we witness a small victory for fear itself, and a minute but very real rip in the fabric of our society.
While identity theft is a real problem, there is abundant evidence that it comes from institutional sources: from hackers breaking in to corporate databases or from gross security leaks on a mass scale. I have seen no evidence whatsoever that individuals are stealing passwords by over-the-shoulder spying.
Recently there’s been a long discussion on the IxDA list regarding the proper way to conceal passwords. Some brave voices have suggested that concealment may not be necessary. They are far outnumbered by those who mindlessly accept that fear itself must triumph and everyone is out to steal your Amazon account and crack into your tweet stream. Bah!
I’ve been trying to imagine a scenario where passwords really need to be concealed. I couldn’t imagine one. I thought of a few, but they were all based on the assumption that people mostly stood around, waiting to catch a glimpse of my password so that they could...what? Send me spam? Post embarrassing pictures of me on Facebook? I’ve got news for them: That train has left the station!
One of my colleagues suggested that entering a password during a presentation would unnecessarily reveal your password to the audience. While I can’t argue with the specific case, as an interaction designer it bothers me. What kind of messed up software would force a person to enter a password at the start of a public presentation? What kind of badly designed software would not allow the user to request that his password be concealed just this one time?
And anyway, what would happen if the audience did see your password? It takes far more courage to show your vulnerabilities than it does to conceal them. Showing your strength in this way is a better deterrent to petty crime than any defensive measure is. If you doubt this, ask any police officer.
In my 1999 book, The Inmates are Running the Asylum, I point out that remote alarm buttons on automobile keyfobs are an utterly unnecessary feature that surely had its roots in some engineer saying, “Hey! Look what I can do!” Thereafter, every remote entry fob has had to have the alarm button so as to not appear to have a deficient feature list. I have no doubt that the asterisk-covered characters in a password field had identical origins. Some engineer figured out a clever way to subclass a text entry field to put the moral equivalent of tailfins on his program, and ever since then others have been following suit to not appear deficient.
Normally, such mindless behavior would disgust me, but in this case it angers me, too. Because it isn’t just simple bad interaction design, but it is a bold assertion of that nameless, unreasoning, unjustified terror of which Roosevelt warned. It is another tiny crack in the wall that keeps us from barbarianism. Every time you put a concealed-password field on your website, you degrade our society, debase our culture, and demonstrate your irrational fear; your fear of fear itself.