Maybe I’m alone in this, but there are several things that bother me about password fields in login forms. First, do we really need to have those silly dots obscuring the characters you type? It just makes it harder to check that you typed a difficult password correctly. Invariably what I end up doing is typing the password into a simple text editor and then copy-and-pasting it into the field. So, if someone was looking over my shoulder they would have still see the plain text password. Speaking of which, passwords are in plaintext so Javascript code can easily grab them and, if you’re not using HTTPs anyone between you and the destination server can too.

And really, if someone you don’t trust is looking over your shoulder then they can figure out your password regardless of the characters being obscured on screen. First, unless you cover your keyboard or are an incredibly quick typer they can easily see which keys you hit. Furthermore, since the number of dots is equal to the actual number of characters in the password in almost every case I’ve seen, they will at least know how long your password is, which makes brute-forcing it a lot easier.

My second pet peeve is all the password restrictions. I don’t really mind if you require me to have 25 character password with upper- and lower-case letters, plus at least one number and one punctuation mark. Though really, does your lolcats site really require that? But, if you do, for the love of God tell me that requirement before I fill out your massive signup form only to have it rejected because my password isn’t ‘secure’ enough. Likewise, always put a reminder about your crazy requirements on your login page. I will invariably attempt to login with my usual, simpler passwords a million times before realizing that you made me make a crazy long password just for you.

Who’s with me?