Protecting passwords from unauthorized snooping is, probably, one of the most basic tenets of security—after all, if someone can see your password, no amount of technology is going to protect you from unauthorized access.

On the other hand, in most circumstances, protecting your password from unwanted snooping is not necessary—because, most of the time, there is nobody to snoop them, argues usability expert Jakob Nielsen in the latest post on his AlertBox.

His point is simple: most people work in the privacy of their homes and offices, where all masking passwords does is increase the number of mistakes that they make, thus reducing the usability of applications and websites without affecting their security in a positive way.

For those situations where shoulder surfing is a consideration (like when using a terminal in a public area), Nielsen suggests that the easy solution is to make password masking a user-selectable option, for example by means of a checkbox that toggles it on and off.

We’re pretty sure that this piece of advice will not go down easy with the security crowd—although perhaps a middle-of-the-road solution like what mobile OS developers have recently begun to adopt could have some value. On most modern phones, typing a password results in the characters being visible for a short period of time—a second of two—after which they are masked with an asterisk or an interpunct.

What are your thoughts? Is password masking useful, or do you agree with Jakob Nielsen that it’s finally time to reevaluate its purpose and come up with an alternative solution?