Usability Spotter #6- The Twitter login page password revelation issue
December 21, 2009
Update (Mar 28, 2010): I noticed today that they (finally, one and a half months later) fixed up the issue.
Setting focus on text field to increase usability
Having to tab through elements on the page (using the keyboard) in order to set focus upon the ‘username’ input field.
Or moving the mouse to position it over the user name text field and clicking upon it in order to begin entering account details.
This is because when scripts download, nothing else can be downloaded along with it in parallel (in contrast, multiple images could have come through at the same time). So that is why moving them to the bottom gives a chance for the rest of the page to load up faster.
The above two combined form the issue
Everything is fine and as intended. Focus is set on ‘username’ text field. The user can proceed to typing in credentials.
Beginning to type in the password
But won’t users notice their password appearing in the username text field? Most probably not until most of or the complete password has been revealed- novice to intermediate computer users will look at the keyboard while typing in the password. Expert users may not have to do so, but since there is also a possibility that expert users will choose complex passwords as compared to novice users, it is probable that they will look at the keyboard too while they type in the password too.
Already typing in password
Severity of the issue
This could be labeled as a usability issue medium to high error severity since the issue translates to a security concern.
Having the password reveal itself without the wishes of the user is bad usability because the application is not behaving as the user expects it to. When a user enters data in a text box, the user expects the data being filled to appear in the text box- either masked or as is depending on whether it is a password text field or not. What the user does not expect is to see the focus of the text box change to another and their password get revealed.
Of equally serious concern is the consequence of the issue- the user’s password is partially or completely revealed, without their intentions of the user wanting to do so. This password may be observed by a passerby who the user does or does not notice, who may then go on to compromise the account.
This issue is certainly something Twitter should fix immediately considering low level of effort (LOE) required to plug it up. There are two solutions to the issue, both very simple both with their pros and cons.
By shifting the code and placing it above the ‘username’ field of the login form, it is guaranteed that the script will load before the form loads. And thus, the focus will always be set on the ‘username’ text field.
Pro: Focus will always set on ‘username’ field before the user can attempt to do so Con: Page loading speed may however be compromised.
The solution is to modify the code logic and keep it at the position it is currently at- so page loading speed is uncompromised and the issue is not caused either.
Currently, the script simply sets focus on the username text field when the script loads. The script may be modified to set up a condition where the script first checks if the focus is already set on either the ‘username’ or ‘password’ text field of the login form. If so, we do nothing since we can assume that the user is busy entering account details. But if the focus is not set upon either of the fields, then we can, as the script, earlier did, set focus upon the ‘username’ text field.
The advantage here is that we do not compromise page loading speed. We also ensure that the user’s password does not accidentally get revealed. What we don’t ensure is the fact that the user may set focus manually upon the ‘username’ text field before the script does so.
Pro: Page loading speed remains uncompromised and the unintended consequence of password revelation can never occur. Con: The goal of the ‘text field focus’ solution which was to always set focus on ‘username’ before user can attempt to do so is not met.
Here’s hoping to see Twitter patch this up as soon as possible. What are your thoughts?