Every now and then, people come up with totally inappropriate uses of JavaScript. First there were scrolling messages in status bars, then pop-up ads, and now this: Boing Boing reports that Citibank UK is forcing customers to use a toy JavaScript keyboard (pictured) to enter their passwords as a "security measure". While I like the idea of companies thinking that they can enhance security with JavaScript instead of treating it like an inherent security risk, this is wrong on every possible level.

While they intended this to be a defense against key-logging software, as Boing Boing points out, it actually reduces security: it limits the number of characters you can use in passwords, encourages customers to use short passwords, and makes it easier to obtain someone's password by watching over their shoulder. If they're concerned about spyware, how hard would it be for a spyware program to pop up its own identical keyboard and log passwords?

Of course, it also throws accessibility out the window—you can't even click the "sign on" link without JavaScript enabled. Worse yet, the comments on the Boing Boing story mention that several other banks have similar login interfaces. [via This is Broken, and it sure is.]