User Names and Passwords in Authentication Forms

I made an interesting observation today regarding login forms that accept user names and passwords for authentication--and what I'm seeing makes no sense.

Here's the issue: Nearly every login form that I've ever seen requires someone to enter their user name in clear text while the password is obscured so that anyone looking at the screen can't see the actual password. That latter aspect makes good sense.

So why don't application developers (including desktop, server, and Web developers) cause the user name field to also be obscured? After all, if someone can type a password without seeing the actual letters then they can also type a user name without seeing the letters.

I think the answer boils down to "follow the leader." What I mean by that is that somewhere along the line of system evolution someone made the decision to not obscure user names but to definitely obscure passwords. Then, probably 99% of everyone else who ever designed a login screen followed that lead--for no apparent reason other than simply mimicking what had already been done in the past. Whatever the reason they certainly weren't thinking about how to improve security while designing the form fields.

If the standard advice is to never let anyone know your user name and password, and to never write that information down, then why let people type it in clear text in plain view of anyone that can see the computer screen? Doing so makes no sense to me.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.