best practices for login security?

12 Aug 2008 - 4:01pm
6 years ago
16 replies
4167 reads
Meredith Noble
2010

Hi folks,

Does anyone know where I could find a list of best practices around
login security? I'm looking for an overview of the most common
techniques and how they relate to both security and user experience --
pros and cons.

For instance, I'd like information on:

- CAPTCHAs
- Site Keys (photographs uploaded by users and shown when they visit the
site so they know they are on the genuine site and haven't been phished)
- Enforcing strong passwords (vs. showing a password strength indicator
but not enforcing it)
- Hint questions and when they're useful vs. not useful (though the
thread http://www.ixda.org/discuss.php?post=31190 had a great discussion
about this)
- Emailing lost passwords to users

My current client is trying to address some security issues but the
particular approaches they've chosen seem somewhat flawed to me. It
would be great to find a balanced analysis of the options and plus a
list of recent innovations in this field.

Thanks very much!

Meredith

Comments

13 Aug 2008 - 1:40am
netwiz
2010

On Tue, 12 Aug 2008 17:01:19 -0400, Meredith wrote:

>Hi folks,
>
>Does anyone know where I could find a list of best practices around
>login security? I'm looking for an overview of the most common
>techniques and how they relate to both security and user experience --
>pros and cons.
>
I'm looking at a similar issue. I found this on passwords, but haven't
looked in depth yet.

http://www.humanfactors.com/downloads/jun04.asp

It seems that users having the caps lock key on is an issue for case
sensitive passwords, and that you might need to cater for it in the
field prompt and error message.

Does anyone know how complex the algorithm is for the 'strength of
password' prompt when people choose a password?

* Nick Gassman - Usability and Standards Manager - http://ba.com *

13 Aug 2008 - 9:06am
Chauncey Wilson
2007

Hi,

There is an edited book that covers many topics related to security and
usability that might have some useful information. Here is the title from
Amazon.

*Security and Usability: Designing Secure Systems that People Can
Use*<http://www.amazon.com/Security-Usability-Designing-Secure-Systems/dp/0596008279/ref=sr_1_1?ie=UTF8&s=books&qid=1218636293&sr=1-1>by
Lorrie Cranor and Simson Garfinkel
(*Paperback* - Aug 25, 2005) - *Illustrated*

Chauncey

On Tue, Aug 12, 2008 at 5:01 PM, Meredith Noble <
meredith at usabilitymatters.com> wrote:

> Hi folks,
>
> Does anyone know where I could find a list of best practices around
> login security? I'm looking for an overview of the most common
> techniques and how they relate to both security and user experience --
> pros and cons.
>
> For instance, I'd like information on:
>
> - CAPTCHAs
> - Site Keys (photographs uploaded by users and shown when they visit the
> site so they know they are on the genuine site and haven't been phished)
> - Enforcing strong passwords (vs. showing a password strength indicator
> but not enforcing it)
> - Hint questions and when they're useful vs. not useful (though the
> thread http://www.ixda.org/discuss.php?post=31190 had a great discussion
> about this)
> - Emailing lost passwords to users
>
> My current client is trying to address some security issues but the
> particular approaches they've chosen seem somewhat flawed to me. It
> would be great to find a balanced analysis of the options and plus a
> list of recent innovations in this field.
>
> Thanks very much!
>
> Meredith
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

13 Aug 2008 - 9:09am
SemanticWill
2007

This is a good book. I have this book - but it does not include design
patterns or best practices in a formula you can just copy out of book and
create wireframes or ixd func spec from - you will actually have to come up
with your own solution.

On Wed, Aug 13, 2008 at 10:06 AM, Chauncey Wilson <chauncey.wilson at gmail.com
> wrote:

> Hi,
>
> There is an edited book that covers many topics related to security and
> usability that might have some useful information. Here is the title from
> Amazon.
>
> *Security and Usability: Designing Secure Systems that People Can
> Use*<
> http://www.amazon.com/Security-Usability-Designing-Secure-Systems/dp/0596008279/ref=sr_1_1?ie=UTF8&s=books&qid=1218636293&sr=1-1
> >by
> Lorrie Cranor and Simson Garfinkel
> (*Paperback* - Aug 25, 2005) - *Illustrated*
>
> Chauncey
>
>
> On Tue, Aug 12, 2008 at 5:01 PM, Meredith Noble <
> meredith at usabilitymatters.com> wrote:
>
> > Hi folks,
> >
> > Does anyone know where I could find a list of best practices around
> > login security? I'm looking for an overview of the most common
> > techniques and how they relate to both security and user experience --
> > pros and cons.
> >
> > For instance, I'd like information on:
> >
> > - CAPTCHAs
> > - Site Keys (photographs uploaded by users and shown when they visit the
> > site so they know they are on the genuine site and haven't been phished)
> > - Enforcing strong passwords (vs. showing a password strength indicator
> > but not enforcing it)
> > - Hint questions and when they're useful vs. not useful (though the
> > thread http://www.ixda.org/discuss.php?post=31190 had a great discussion
> > about this)
> > - Emailing lost passwords to users
> >
> > My current client is trying to address some security issues but the
> > particular approaches they've chosen seem somewhat flawed to me. It
> > would be great to find a balanced analysis of the options and plus a
> > list of recent innovations in this field.
> >
> > Thanks very much!
> >
> > Meredith
> > ________________________________________________________________
> > Welcome to the Interaction Design Association (IxDA)!
> > To post to this list ....... discuss at ixda.org
> > Unsubscribe ................ http://www.ixda.org/unsubscribe
> > List Guidelines ............ http://www.ixda.org/guidelines
> > List Help .................. http://www.ixda.org/help
> >
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

--
~ will

"Where you innovate, how you innovate,
and what you innovate are design problems"

---------------------------------------------------------------------------------------------
Will Evans | User Experience Architect
tel: +1.617.281.128 | will at semanticfoundry.com
aim: semanticwill | gtalk: wkevans4
twitter: semanticwill | skype: semanticwill
---------------------------------------------------------------------------------------------

13 Aug 2008 - 9:56am
Meredith Noble
2010

> I'm looking at a similar issue. I found this on passwords, but haven't
> looked in depth yet.
>
> http://www.humanfactors.com/downloads/jun04.asp

One of my questions right now is whether or not to enforce the password
complexity rule. It is enough to inform the user that their password is
weak, and let them go about their business if they so desire? Or do we
force them to have a "strong" password that they may forget later?
Security at the expense of usability, or usability at the expense of
security?

The article you liked proposes some good tips for users for creating
passwords, but it doesn't help inform design much. I guess we could
share tips about how to make a secure-but-easily-memorable password in a
little help section, but I expect most people are so focused during a
registration process that they wouldn't bother reading it. The
passphrase technique is fabulous, but it's hard to explain that in a
sentence, plus most people have a set of predefined passwords that they
use on sites anyway.

Personally I hate it when I'm forced to include at minimum 8 characters,
one uppercase character, one lowercase character, a symbol, etc. My
worry is that if we enforce this (as the project charter currently
specifies!) that people will choose crazy passwords, forget them, and
have to make numerous password retrieval requests, thereby degrading
their experience on the site.

Or perhaps it's not as big a deal as I'm anticipating? I'd love input.

Meredith

13 Aug 2008 - 10:31am
Meredith Noble
2010

Chauncey wrote:
> There is an edited book that covers many topics related to security
and
> usability that might have some useful information. Here is the title
from
> Amazon.
>
> *Security and Usability: Designing Secure Systems that People Can
> Use*<http://www.amazon.com/Security-Usability-Designing-Secure->
Systems/dp/0596008279/ref=sr_1_1?ie=UTF8&s=books&qid=1218636293&sr=1-1>b
y
> Lorrie Cranor and Simson Garfinkel
> (*Paperback* - Aug 25, 2005) - *Illustrated*

FYI, turns out this book is on Google Books: http://tinyurl.com/6ob22p

Some pages have been removed, but there's enough to get a good feel for
things I expect.

Thanks for the recommendation. My Google search for "usability security"
turned up a variety of other promising sites as well (why didn't it
occur to me to use that phrase yesterday?) so I'll report back to the
list if I find anything useful.

Meredith

13 Aug 2008 - 10:37am
Kevin Cheng
2004

> One of my questions right now is whether or not to enforce the
> password
> complexity rule. It is enough to inform the user that their password
> is
> weak, and let them go about their business if they so desire? Or do we
> force them to have a "strong" password that they may forget later?
> Security at the expense of usability, or usability at the expense of
> security?
>
>
> Personally I hate it when I'm forced to include at minimum 8
> characters,
> one uppercase character, one lowercase character, a symbol, etc. My
> worry is that if we enforce this (as the project charter currently
> specifies!) that people will choose crazy passwords, forget them, and
> have to make numerous password retrieval requests, thereby degrading
> their experience on the site.
>

This is personal opinion but I feel that design needs to be as
flexible as possible unless there's a really good reason to do
otherwise. For example, if your site is related to banking. Even
Amazon, which stores credit cards, doesn't have a rigurous set of
password rules (but they do have other measures, such as requiring you
to enter the CC# again if you try to add a shipping address).

In that sense, I think it's better to inform than enforce.

Let the users know the strength of their password but don't force them
to any particular level.

kevin cheng • kc at kevnull.com
author of http://bit.ly/seewhatimean
work at http://raptr.com
cofounder of http://ok-cancel.comhttp://offpanel.com
talks a lot at http://kevnull.comhttp://twitter.com/kevnull

13 Aug 2008 - 5:33pm
cfmdesigns
2004

>From: Meredith Noble <meredith at usabilitymatters.com>
>
>Personally I hate it when I'm forced to include at minimum 8 characters,
>one uppercase character, one lowercase character, a symbol, etc.

You forgot that neither the first or last character can be a non-letter (to avoid the use of "password!1", which is easier to break), and that the password has to be changed quarterly, and to something sharing no two-character sequences with the previous one (so no "pass!1word" and "pass!2word" usage).

(I've had two of those three, and they threatened the other. They should have just assigned us new random ones; it would have been less trouble.)

-- Jim

13 Aug 2008 - 9:32pm
jet
2008

Meredith Noble wrote:
> Hi folks,
>
> Does anyone know where I could find a list of best practices around
> login security? I'm looking for an overview of the most common
> techniques and how they relate to both security and user experience --
> pros and cons.

Putting on my professional security hat for a moment, I don't think
there are a general set of security best practices. There are specific
sets of best practices depending on what your general security
requirements are, but it's difficult to state a set of general best
practices that aren't so vague as to be useless. (ex: "Be functional",
"don't annoy the user", etc.)

Ask yourself what the value is of what you're protecting? What is the
cost of a breach and who absorbs the cost? How often do you need to
authenticate and under what circumstances? Who are the potential
attackers and what resources do they have?

If you don't have one in-house or if the client doesn't have one, I
suggest you find a good security consultant and get a set of security
requirements and start from there.

--
jet / KG6ZVQ
http://www.flatline.net
pgp: 0xD0D8C2E8 AC9B 0A23 C61A 1B4A 27C5 F799 A681 3C11 D0D8 C2E8

13 Aug 2008 - 9:38pm
jet
2008

One other note:

> - Emailing lost passwords to users

Never, ever, ever store passwords in the clear, anywhere. If a user
forgets their password, generate a temporary one and ask them to create
a new password.

Plenty of people re-use passwords on different sites, all it takes is
for one of those sites to store passwords in the clear to compromise the
accounts of multiple sites. On a smaller scale, all it takes is hacking
an individual's email account and doing lots of lost password requests
to get one or two of their common passwords.

--
jet / KG6ZVQ
http://www.flatline.net
pgp: 0xD0D8C2E8 AC9B 0A23 C61A 1B4A 27C5 F799 A681 3C11 D0D8 C2E8

14 Aug 2008 - 12:03pm
Meredith Noble
2010

> > - Emailing lost passwords to users
>
> Never, ever, ever store passwords in the clear, anywhere. If a user
> forgets their password, generate a temporary one and ask them to
create
> a new password.

Thanks, Eric. I hate it when people send me a "congrats, you're signed
up, and your password is BLAAAH" email -- it shows me they just don't
get it, and absolutely, it puts all of my other accounts at risk.

I meant more of "email a reset password link" to users. Then again, your
approach might be better because people can navigate to the site on
their own rather than trusting a link in an email (which could be
phishing them, technically). Would you agree?

Meredith

14 Aug 2008 - 12:23pm
jet
2008

Meredith Noble wrote:
> I meant more of "email a reset password link" to users. Then again, your
> approach might be better because people can navigate to the site on
> their own rather than trusting a link in an email (which could be
> phishing them, technically). Would you agree?

Well, it's not phishing them if it's a legitimate link. :-) But yes,
emailing them a temp password then setting the system to force a
password change on next login is a reasonably good practice. If an
attacker is trying to jack their account they'll get the email and can
take appropriate action.

My personal preference is to never mail sensitive links (login, password
reset), but amazon and eBay do it and seem to survive somehow.

--
jet / KG6ZVQ
http://www.flatline.net
pgp: 0xD0D8C2E8 AC9B 0A23 C61A 1B4A 27C5 F799 A681 3C11 D0D8 C2E8

14 Aug 2008 - 12:55pm
Matt Nish-Lapidus
2007

For a forgot password email the best practice seems to be to flag
their account for a password change and email the user a link with a
unique token.. the token expires and can only be used once.

when they click on the link they are taken directly to a new password
form. The unique token acts as a key into the password form and then
it expires forever. that way you never send a password, temporary or
not, in plain text as part of the email.

On Thu, Aug 14, 2008 at 1:23 PM, j. eric townsend <jet at flatline.net> wrote:
> Meredith Noble wrote:
>>
>> I meant more of "email a reset password link" to users. Then again, your
>> approach might be better because people can navigate to the site on
>> their own rather than trusting a link in an email (which could be
>> phishing them, technically). Would you agree?
>
> Well, it's not phishing them if it's a legitimate link. :-) But yes,
> emailing them a temp password then setting the system to force a password
> change on next login is a reasonably good practice. If an attacker is
> trying to jack their account they'll get the email and can take appropriate
> action.
>
> My personal preference is to never mail sensitive links (login, password
> reset), but amazon and eBay do it and seem to survive somehow.
>
> --
> jet / KG6ZVQ
> http://www.flatline.net
> pgp: 0xD0D8C2E8 AC9B 0A23 C61A 1B4A 27C5 F799 A681 3C11 D0D8 C2E8
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

--
Matt Nish-Lapidus
work: matt at bibliocommons.com / www.bibliocommons.com
--
personal: mattnl at gmail.com

14 Aug 2008 - 1:09pm
Meredith Noble
2010

> > I meant more of "email a reset password link" to users. Then again,
your
> > approach might be better because people can navigate to the site on
> > their own rather than trusting a link in an email (which could be
> > phishing them, technically). Would you agree?
>
> Well, it's not phishing them if it's a legitimate link. :-) But yes,
> emailing them a temp password then setting the system to force a
> password change on next login is a reasonably good practice. If an
> attacker is trying to jack their account they'll get the email and can
> take appropriate action.

Ha, indeed. I mean more that a security-aware user might worry about the
legitimate email being a phishing email. Then again, sites do this ALL
the time so people can't be that concerned. Plus the user just REQUESTED
a reset password link, so they can't be that surprised when they get one
:) Arg, talking myself in circles I think.

The more I think about all of this stuff, the more I realize there
really is no ideal way to do anything.

There is definitely a non-ideal way though, which is what my client is
proposing at the moment :) Has anyone ever seen a site where, if you
forget your password, you simply have to provide the answer to your
"secret question", and boom, you're in the site? It feels crazy to me,
but maybe I'm missing something :P One of the members on the project
team claims this was the practice at the (big-5 Canadian) bank he worked
at, but I just keep thinking he must be forgetting a detail...

Meredith

14 Aug 2008 - 1:53pm
bminihan
2007

I agree with Eric that it highly depends on what you're protecting -
go for broke if it's my SSN, but if it's not identity-theft-worthy
stuff (my blog posts, for instance), I'd rather not have to remember
my mother's blood type.

On my current project, we opted for encrypted passwords, never
provided in the clear, and Matthew's recommended practice - the
forgot-password unique key sent to your email, which just lets you
change your password.

We originally had pretty strict password-strength requirements, but
100% of our support calls around this came from legitimate mistypes
by valid users. I'd have to say the bigger security concern we have
has nothing to do with passwords, but with people masquerading as
their friends or enemies (ex-boyfriends, in particular) on the site.
It's not rampant by any means, but it's extremely difficult to
protect against someone creating an account with someone else's name
and posting defamatory content about them. Even if you prevent
against offensive language, you can say an awful lot of mean stuff
about someone without swearing.

As an anecdotal case-study, we have never had a single complaint or
request regarding our password-reset process, and its biggest benefit
over sending a temporary password is that you only have to change your
password once. Whenever I get a temporary password, if I don't
change it immediately after signing in, I eventually have to ask for
another temp pw. Kind of a pain.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=31963

14 Aug 2008 - 2:55pm
Caroline Jarrett
2007

One tip for the forgotten password function: there's the problem of
people who no longer have access to their old email address, for
example because they no longer work at that job.

We got around that for one customer by allowing the user to choose
whether to email the password or display it.

best,
Caroline Jarrett
caroline.jarrett at effortmark.co.uk
phone: 01525 370379
international: +44 152 537 0379
mobile: 07990 570647

Effortmark Ltd
Usability - Forms - Content

We have moved. New address:
16 Heath Road
Leighton Buzzard
LU7 3AB

14 Aug 2008 - 4:49pm
Omri Eliav
2004

I work in the application-security-products group of a giant software
company. It made me aware of two things I wouldn't thought of:

1. Lots of legal and regulations involved in the security business.
You should carefully check where you (or your client) stands
regarding that.

2. Sometimes (the folks next to me say - most of the times ;-) it
takes one bad password to download the whole database. So my bad
password can be your and the website's problem too (see 1).

As an IxD I'd hate to force strong password, but I guess sometimes
it's inevitable. In this case, your job is to make it bearable. For
all other cases, it's always good practice to promote strong passwords.

Good luck,
- Omri

On Aug 13, 2008, at 12:01 AM, Meredith Noble wrote:
> - Enforcing strong passwords (vs. showing a password strength
> indicator
> but not enforcing it)

************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

Syndicate content Get the feed