Password enforcement UI - good, bad or ugly?

19 Feb 2008 - 11:33am
6 years ago
9 replies
679 reads
Kenny Kutney
2008

Thought maybe I could garner some opinions on the usability of
password enforcement techniques.

Recently, I've noticed a trend towards more "secure" passwords for
many things, and that's a good idea. However, I've also noticed that
certain web sites take that to an extreme, disallowing the use of any
password that does not meet their criteria. Often, these criteria are
also extreme.

For example, one web-based product (non-financial) refused to allow
me to enter a password that did not have ALL of:
- at least one capital letter
- at least one numeric
- at least one non-alpha character
- at least 8 characters

Clearly, this would produce a reasonably secure password, but I'd
never remember it!!! I prefer Google's approach, where a graphic
indicator shows me the "strength" of my password, but lets me choose
anything I want.

Would certainly love to hear the group's thoughts on this...

--
kenny kutney
kennykutney at mac.com

Comments

19 Feb 2008 - 2:11pm
Ari
2006

although these recommendations are valid, why put the burden on the user?

there exist several AJAX and Flash plugins or classes for doing 'password
strength' assessments, that visually grade the user's password using both
color and verbal ratings.

i think this would be more effective for users and keep the recommendations
in an FAQ for more advanced users.

thoughts?

Ari

On Feb 19, 2008 11:33 AM, Kenny Kutney <kennykutney at mac.com> wrote:

> Thought maybe I could garner some opinions on the usability of
> password enforcement techniques.
>
> Recently, I've noticed a trend towards more "secure" passwords for
> many things, and that's a good idea. However, I've also noticed that
> certain web sites take that to an extreme, disallowing the use of any
> password that does not meet their criteria. Often, these criteria are
> also extreme.
>
> For example, one web-based product (non-financial) refused to allow
> me to enter a password that did not have ALL of:
> - at least one capital letter
> - at least one numeric
> - at least one non-alpha character
> - at least 8 characters
>
> Clearly, this would produce a reasonably secure password, but I'd
> never remember it!!! I prefer Google's approach, where a graphic
> indicator shows me the "strength" of my password, but lets me choose
> anything I want.
>
> Would certainly love to hear the group's thoughts on this...
>
> --
> kenny kutney
> kennykutney at mac.com
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

--
--------------------------------------------------
www.flyingyogi.com
--------------------------------------------------

19 Feb 2008 - 2:24pm
Mark Schraad
2006

Hey Kenny,
I worked in the field (computer security) for a couple of years. In the
simplest terms, the continuum is between ease of use, and security. Just as
you state... the extremes are not good. Easy to use = easy to crack. Hard to
crack = hard to remember. Forcing any or all of those criteria is pretty
harsh unless the sit has a lot of liability. Suggesting those as 'tips' for
a more secure password offers the user a lot of flexibility.

Mark

On Feb 19, 2008 11:33 AM, Kenny Kutney <kennykutney at mac.com> wrote:

> Thought maybe I could garner some opinions on the usability of
> password enforcement techniques.
>
> Recently, I've noticed a trend towards more "secure" passwords for
> many things, and that's a good idea. However, I've also noticed that
> certain web sites take that to an extreme, disallowing the use of any
> password that does not meet their criteria. Often, these criteria are
> also extreme.
>
> For example, one web-based product (non-financial) refused to allow
> me to enter a password that did not have ALL of:
> - at least one capital letter
> - at least one numeric
> - at least one non-alpha character
> - at least 8 characters
>
> Clearly, this would produce a reasonably secure password, but I'd
> never remember it!!! I prefer Google's approach, where a graphic
> indicator shows me the "strength" of my password, but lets me choose
> anything I want.
>
> Would certainly love to hear the group's thoughts on this...
>
> --
> kenny kutney
> kennykutney at mac.com
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

19 Feb 2008 - 3:00pm
Katie Albers
2005

I know I was taught by a shockingly sane network engineer that the
easy way to develop hard to crack passwords was to choose a regular
word of the right length in your native language and then substitute
number(s) and punctuation marks as appropriate and capitalize either
the first or last letter. As long as you use consistent
substitutions, all you have to remember is the word. So, for example,
"Olympics" becomes
"0!ymp1cS" and in all my passwords O becomes 0, L becomes !, I
becomes 1 and so forth. Not all users have to use the same set of
substitutions, but each user needs to be consistent from one password
to the next, otherwise it's yet another memory problem.

Is there a problem with recommending -- perhaps on a "help" linked
page -- such a method to users?

At 2:24 PM -0500 2/19/08, mark schraad wrote:
>Hey Kenny,
>I worked in the field (computer security) for a couple of years. In the
>simplest terms, the continuum is between ease of use, and security. Just as
>you state... the extremes are not good. Easy to use = easy to crack. Hard to
>crack = hard to remember. Forcing any or all of those criteria is pretty
>harsh unless the sit has a lot of liability. Suggesting those as 'tips' for
>a more secure password offers the user a lot of flexibility.
>
>Mark
>
>On Feb 19, 2008 11:33 AM, Kenny Kutney <kennykutney at mac.com> wrote:
>
>> Thought maybe I could garner some opinions on the usability of
>> password enforcement techniques.
>>
>> Recently, I've noticed a trend towards more "secure" passwords for
>> many things, and that's a good idea. However, I've also noticed that
>> certain web sites take that to an extreme, disallowing the use of any
>> password that does not meet their criteria. Often, these criteria are
>> also extreme.
>>
>> For example, one web-based product (non-financial) refused to allow
>> me to enter a password that did not have ALL of:
>> - at least one capital letter
>> - at least one numeric
>> - at least one non-alpha character
>> - at least 8 characters
>>
>> Clearly, this would produce a reasonably secure password, but I'd
>> never remember it!!! I prefer Google's approach, where a graphic
>> indicator shows me the "strength" of my password, but lets me choose
>> anything I want.
>>
>> Would certainly love to hear the group's thoughts on this...
>>
>> --
>> kenny kutney
>> kennykutney at mac.com
>>
>> ________________________________________________________________
>> Welcome to the Interaction Design Association (IxDA)!
>> To post to this list ....... discuss at ixda.org
>> Unsubscribe ................ http://www.ixda.org/unsubscribe
>> List Guidelines ............ http://www.ixda.org/guidelines
>> List Help .................. http://www.ixda.org/help
>>
>________________________________________________________________
>Welcome to the Interaction Design Association (IxDA)!
>To post to this list ....... discuss at ixda.org
>Unsubscribe ................ http://www.ixda.org/unsubscribe
>List Guidelines ............ http://www.ixda.org/guidelines
>List Help .................. http://www.ixda.org/help

--

----------------
Katie Albers
katie at firstthought.com

19 Feb 2008 - 4:08pm
Omri Eliav
2004

There are legal and global security sides too. In many cases it takes
one bad password to hack your entire webapp. If someone hack your
application because of a bad password policy, you can be exposed to
lawsuit from other users.

As for solution... It depends.

-- Omri

On Feb 19, 2008, at 6:33 PM, Kenny Kutney wrote:

> Thought maybe I could garner some opinions on the usability of
> password enforcement techniques.

************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

19 Feb 2008 - 4:26pm
Jeff Seager
2007

The problem with this trend (and I'm seeing it as such, too, Kenny)
is that it presumes that more security is always better. But in many
use cases (blogs, mailing lists, software tech support), such
stringent security can be ridiculous and inconvenient.

Security is not just protection. It's also reassurance. Excessive
protection is more aggravating than reassuring, and likely to drive
people to goods and services that balance these considerations
better.

I like the visual and verbal indicators of password strength. They
give me choice, leave me in control. I think it's best to err on the
side of enlightened self-interest and leave the details of these
decisions to the user.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=26110

19 Feb 2008 - 3:10pm
Anthony Hempell
2007

Another strategy is to create memorable Name/Number combinations that
are part of a larger set that can be mined for almost infinite
password ideas, such as:

Car make / year (Cadillac77 or Mustang!56)
Athlete / number (Jordan23 or Gretzky!99)

etc....

On 19-Feb-08, at 12:00 PM, Katie Albers wrote:

> I know I was taught by a shockingly sane network engineer that the
> easy way to develop hard to crack passwords was to choose a regular
> word of the right length in your native language and then substitute
> number(s) and punctuation marks as appropriate and capitalize either
> the first or last letter. As long as you use consistent
> substitutions, all you have to remember is the word. So, for example,
> "Olympics" becomes
> "0!ymp1cS" and in all my passwords O becomes 0, L becomes !, I
> becomes 1 and so forth. Not all users have to use the same set of
> substitutions, but each user needs to be consistent from one password
> to the next, otherwise it's yet another memory problem.
>
> Is there a problem with recommending -- perhaps on a "help" linked
> page -- such a method to users?
>

19 Feb 2008 - 7:44pm
Ari
2006

yes but passwords like those you describe are prone to hacking as they
contain dictionary words that some brute force password crackers use to
increase their chances of cracking passwords.

On Feb 19, 2008 3:10 PM, Anthony Hempell <ahempell at telus.net> wrote:

> Another strategy is to create memorable Name/Number combinations that
> are part of a larger set that can be mined for almost infinite
> password ideas, such as:
>
> Car make / year (Cadillac77 or Mustang!56)
> Athlete / number (Jordan23 or Gretzky!99)
>
> etc....
>
>
> On 19-Feb-08, at 12:00 PM, Katie Albers wrote:
>
> > I know I was taught by a shockingly sane network engineer that the
> > easy way to develop hard to crack passwords was to choose a regular
> > word of the right length in your native language and then substitute
> > number(s) and punctuation marks as appropriate and capitalize either
> > the first or last letter. As long as you use consistent
> > substitutions, all you have to remember is the word. So, for example,
> > "Olympics" becomes
> > "0!ymp1cS" and in all my passwords O becomes 0, L becomes !, I
> > becomes 1 and so forth. Not all users have to use the same set of
> > substitutions, but each user needs to be consistent from one password
> > to the next, otherwise it's yet another memory problem.
> >
> > Is there a problem with recommending -- perhaps on a "help" linked
> > page -- such a method to users?
> >
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

--
--------------------------------------------------
www.flyingyogi.com
--------------------------------------------------

19 Feb 2008 - 8:08pm
SemanticWill
2007

Yeah. Depends on what your securing and from whom. Good combo is the
old biometric plus passphrase plus mutating challenge-response. But 99.99999
don't require it since most people will willingly give up their pw
through social engineering and cmps capable of brute force are too
busy reading our email. Thanks AT&T!

will evans
user experience architect
wkevans4 at gmail.com
617.281.1281

On Feb 19, 2008, at 7:44 PM, "Ari Feldman" <ari1970 at gmail.com> wrote:

> yes but passwords like those you describe are prone to hacking as they
> contain dictionary words that some brute force password crackers use
> to
> increase their chances of cracking passwords.
>
>
> On Feb 19, 2008 3:10 PM, Anthony Hempell <ahempell at telus.net> wrote:
>
>> Another strategy is to create memorable Name/Number combinations that
>> are part of a larger set that can be mined for almost infinite
>> password ideas, such as:
>>
>> Car make / year (Cadillac77 or Mustang!56)
>> Athlete / number (Jordan23 or Gretzky!99)
>>
>> etc....
>>
>>
>> On 19-Feb-08, at 12:00 PM, Katie Albers wrote:
>>
>>> I know I was taught by a shockingly sane network engineer that the
>>> easy way to develop hard to crack passwords was to choose a regular
>>> word of the right length in your native language and then substitute
>>> number(s) and punctuation marks as appropriate and capitalize either
>>> the first or last letter. As long as you use consistent
>>> substitutions, all you have to remember is the word. So, for
>>> example,
>>> "Olympics" becomes
>>> "0!ymp1cS" and in all my passwords O becomes 0, L becomes !, I
>>> becomes 1 and so forth. Not all users have to use the same set of
>>> substitutions, but each user needs to be consistent from one
>>> password
>>> to the next, otherwise it's yet another memory problem.
>>>
>>> Is there a problem with recommending -- perhaps on a "help" linked
>>> page -- such a method to users?
>>>
>>
>> ________________________________________________________________
>> Welcome to the Interaction Design Association (IxDA)!
>> To post to this list ....... discuss at ixda.org
>> Unsubscribe ................ http://www.ixda.org/unsubscribe
>> List Guidelines ............ http://www.ixda.org/guidelines
>> List Help .................. http://www.ixda.org/help
>>
>
>
>
> --
> --------------------------------------------------
> www.flyingyogi.com
> --------------------------------------------------
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help

20 Feb 2008 - 5:30am
Louise Vinciguerra
2008

Creating unique and secure passwords that are easy to remember can become difficult if you have several accounts, which most people nowadays do. But why bother with creating ludicrously long and complicated passwords when a simple solution is just to use a password manager?

Unfortunately, switching numbers and letters isn%u2019t enough anymore:

http://passpack.wordpress.com/2007/06/04/choosing-passwords-long-is-strong/

Louise

(disclaimer: I work for PassPack)

Syndicate content Get the feed