Chapter #35. Obfuscate Passwords in Fields, but Provide a "Show Password" Toggle
It still makes sense to obfuscate ("star out") passwords as they're being entered, but let's be real, shoulder-surfing isn't possible when you're signing in to an app on your couch.
Providing a "show password" toggle is not only great for usability, but also improves security: users can enter longer, more complex pass-phrases and be confident that they can retype them correctly. Default to obfuscating the password, but provide a checkbox or toggle that allows the user to see their password.
Yes, I know we should all be using a password manager (a plugin that generates and stores all your site passwords for you), but the fact remains that most regular users don't.
Show the password strength rules. Don't make users try and try again to enter passwords, only to be told later that they need to have a certain obscure combination of letters, numbers and symbols. Show the user the rules the whole time that the password...