Password requirements are not user friendly

28 Oct 2008 - 6:50am
6 years ago
20 replies
2109 reads
Ali Naqvi
2008

Many of you might have tried creating an account online in order to
participate in an online forum or in order to apply for a job in a major
corporation.

Many times a password needs to consist of the following-
A capital letter
A digit or sometimes 2 digits
Minimum 8 Characters
The password must not include ANY of the letters or digits already
contained in your user name.

Why make it hard for a user to sign up?? Why cant a username 'ABS_4u' have
the following password 'Malemodel_14' ?? Whats the problem with having
digit '4' appearing in both the username and password??

I know that 'regular expressions' in a dynamic website helps with
preventing fraud etc. But programmers should be aware that users will
leave if the sign up process is hard and time taking.

Such password requirements are hard to remember. Why cant I just have a
password the way I want it?? If I dont want any digits then let ME decide
that. Dont throw rules and requirements at me. Its MY account and I am the
one responsible for letting hackers misuse my account. Which I doubt they
will anyway.

Another important thing to keep in mind is culture and religious beliefs.
In certain South Asian cultures 2 digits are seen as a bad omen. Why even
ask for a Capital letter?? My South Asian parents HATE using Capital
letters and want to just enter a password with no hassle.
'Pressing shift and a letter in order to Capitalize it is irritating'.
Respect the user and make it easier for him/her to decide a password!

Comments

28 Oct 2008 - 7:09am
Mark Canlas
2003

Here's the programmer-sympathetic counter to what you're saying.
Users tend to choose the easiest-to-type passwords. These passwords also
tend to be the easiest to break in to.

No end-user is willing to take responsibility for a compromised system.
None.

The potential cost of recovering/auditing/repairing a compromised system as
well as any potential legal fallout of exposed user information is much
greater than the cost imposed by inconveniencing a small set of users.

On Tue, Oct 28, 2008 at 8:50 AM, <ali at amroha.dk> wrote:

> Many of you might have tried creating an account online in order to
> participate in an online forum or in order to apply for a job in a major
> corporation.
>
> Many times a password needs to consist of the following-
> A capital letter
> A digit or sometimes 2 digits
> Minimum 8 Characters
> The password must not include ANY of the letters or digits already
> contained in your user name.
>
> Why make it hard for a user to sign up?? Why cant a username 'ABS_4u' have
> the following password 'Malemodel_14' ?? Whats the problem with having
> digit '4' appearing in both the username and password??
>
> I know that 'regular expressions' in a dynamic website helps with
> preventing fraud etc. But programmers should be aware that users will
> leave if the sign up process is hard and time taking.
>
> Such password requirements are hard to remember. Why cant I just have a
> password the way I want it?? If I dont want any digits then let ME decide
> that. Dont throw rules and requirements at me. Its MY account and I am the
> one responsible for letting hackers misuse my account. Which I doubt they
> will anyway.
>
> Another important thing to keep in mind is culture and religious beliefs.
> In certain South Asian cultures 2 digits are seen as a bad omen. Why even
> ask for a Capital letter?? My South Asian parents HATE using Capital
> letters and want to just enter a password with no hassle.
> 'Pressing shift and a letter in order to Capitalize it is irritating'.
> Respect the user and make it easier for him/her to decide a password!
>
>
>
>
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

28 Oct 2008 - 8:22am
Ali Naqvi
2008

Hello Mark,
as I stated earlier the 'regular expression' needed in order to
prevent misuse should allow a user to use the same digit in his/her
password as used in the username.
When I took the course PHP and MYSQL I learned that 'regular
expressions' can be used in a userfriendly manner.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

28 Oct 2008 - 8:40am
Santiago Bustelo
2010

Mark Canlas wrote:
> No end-user is willing to take responsibility for a compromised
system.

Asking users to choose a password compels them to take
responsibility. Their cost/benefit judgement (strong vs. easy to
remember password in regard to their perceived value of what is at
stake) should be trusted afterwards.

Annoying and scolding users seems reasonable only because
inconvenience is easily mistaken with security.

--

Santiago Bustelo // icograma
Buenos Aires, Argentina

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

28 Oct 2008 - 9:28am
Andrew Jaswa
2008

On Tue, Oct 28, 2008 at 7:09 AM, Mark Canlas <mark at htmlism.com> wrote:
> Here's the programmer-sympathetic counter to what you're saying.
> Users tend to choose the easiest-to-type passwords. These passwords also
> tend to be the easiest to break in to.

All of my strong passwords are easy to type (which is why I chose
them). It annoys and concerns me when a website forces me to select a
weak password.

Restricting what a user can pick for a password to the point they they
aren't going to remember, serves no one. Not the user and not the
company/website. If the user cannot remember their password then the
company/website should have some way to recover/reset that password.
In some cases requiring the user to *call* the company to recover
their password (wasted resources if the user was allowed pick a
password they could remember).

As far as weak passwords go, the system shouldn't be so insecure as to
allow one user to cause very much damage. If the user selects a weak
password and someone breaks into their account and destroys the users
info/account/profile the responsibility is on the user. If the system
allows that one user to destroy the system then that is on the
company. Granted admins might have that power but they are not typical
users and tend not to select weak passwords.

The best way I've seen to encourage users to select strong passwords
is to show them on the fly how strong it is. Who wants to see a big
red "weak" next to their password?

Just my 2 cents.

--
Andrew Jaswa
andrewjaswa.com
wsuug.org

28 Oct 2008 - 9:26am
Sohel Kapasi
2008

Very recent suggestion I have provided in my current project, which I
felt reasonably good solutions to overcome this password remembering
hassle.

I agree with this issue, me also forgetting password for so many
websites and application where my password is not come into my
password generating pattern.

As per my study and readings at my customer location, I found that
each one has their own password generating pattern and very few keeps
unique password at every site, therefore password selection MUST be as
flexible as selecting username.

But considering security I strongly follow mix and match methods for
password but mixing facility has to be very easy and there
shouldn%u2019t be any restriction to the users.

For example:::
My password generation pattern always starts with my favorite work
"kapasi" and making all choices around this.

kapasi_score OR

kapasi at 911 OR

kapasi$need, etc

Here I never preferred to have following condition as otherwise its
very confusing for me and hard to remember that which combination I
have kept for each password.

Hard conditions:::
Must one uppercase and one digit (where I can%u2019t keep any special
character)

Must be one special character and less then 8 digits

Must have one number (where I can%u2019t keep any special
character).....

In short the moment you restrict one thing or the other which
restrict my password generating pattern will BIG trouble for me.

And second very important item is I hardly read the password
generating conditions which is there to teach us how to generate
password, and in this condition I always try to generate password on
my way and failed couple of time, after frustration I try to read
their instructions or simply close the window.

Thank you
Sohel Kapasi

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

28 Oct 2008 - 11:02am
EngageMotion
2008

These strong password requirements were not invented by evil
programmers designed to thwart the heroic efforts of usability
experts across the globe...

It is one of the minimum "due diligence" requirements (PCI) for
merchants who want to accept major credit cards online.

http://usa.visa.com/merchants/risk_management/cisp_overview.html

No one wants to make it more difficult for a user to sign-up, but I
think everyone would agree that successful "brute force" attacks
are not very "user-friendly".

It is not about security through "inconvenience" but there are real
technical reasons for strong passwords at least on e-commerce sites.
It is the lesser of two evils.

If a user has ADHD, then there is software to help them keep (and
even create) strong passwords.

http://www.snapfiles.com/get/keepass.html

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

28 Oct 2008 - 11:32am
Andy Polaine
2008

> If a user has ADHD, then there is software to help them keep (and
> even create) strong passwords.

I usually just use this one: ••••••••••••••••••

;-)

28 Oct 2008 - 12:41pm
Santiago Bustelo
2010

Chris Vestal wrote:
> http://usa.visa.com
> It is not about security through "inconvenience" but there are
real technical reasons for strong passwords at least on e-commerce
sites.

Usually is about inconvenience *instead* of security. The most
commonly used security "metric" is how safe users feel they are, or
stakeholders believe users are.

A reality check about how much credit card companies actually care:
http://www.zug.com/pranks/credit-cards/

I would certainly not advocate weak passwords. But password strength
is a subjective matter. The same password can be considered very weak
or unbeatably strong by two different algorithms ( = programmers).
That is why the burden is always on the user, whose decision must be
respected. Inform users how strong your algorithm "thinks" their
passwords are (I second Andrew on doing it on the fly), but don't
kick them out if they consider that the value that password has to
protect does not deserve any more trouble.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

28 Oct 2008 - 12:46pm
Mark Canlas
2003

So you would advocate letting users set blank or English-word passwords? The
user may think these are "secure enough". But what will they think when
their funds are depleted by someone who broke into their account?

On Tue, Oct 28, 2008 at 2:41 PM, Santiago Bustelo
<santiago at bustelo.com.ar>wrote:

> Chris Vestal wrote:
> > http://usa.visa.com
> > It is not about security through "inconvenience" but there are
> real technical reasons for strong passwords at least on e-commerce
> sites.
>
> Usually is about inconvenience *instead* of security. The most
> commonly used security "metric" is how safe users feel they are, or
> stakeholders believe users are.
>
> A reality check about how much credit card companies actually care:
> http://www.zug.com/pranks/credit-cards/
>
> I would certainly not advocate weak passwords. But password strength
> is a subjective matter. The same password can be considered very weak
> or unbeatably strong by two different algorithms ( = programmers).
> That is why the burden is always on the user, whose decision must be
> respected. Inform users how strong your algorithm "thinks" their
> passwords are (I second Andrew on doing it on the fly), but don't
> kick them out if they consider that the value that password has to
> protect does not deserve any more trouble.
>
>
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> Posted from the new ixda.org
> http://www.ixda.org/discuss?post=34957
>
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

28 Oct 2008 - 1:01pm
Ali Naqvi
2008

to Mark,
you have to keep in mind that my post was concerning Online Forum and
Job Application passwords. I did not mention B2B or any other site
where credit card information is needed.
Lets for instance say that I am a Nigerian mother wanting to discuss
children in a forum for mothers. Why should I go through the hassle
of remembering a password consisting of capital letters and digits??
Also when you apply for a job at NOKIA you dont provide credit card
information. You upload a CV and some work experience only. Why
should that be so hard to do?
At a website such as Amazon.com where transactions of several million
dollars a year are processed, such password requirement is not asked
for! Amazon is a prime example of user friendly interface and
experience.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

28 Oct 2008 - 1:04pm
EngageMotion
2008

Reality Check - Card-issuing banks and VISA/Mastercard are NOT the
same thing.

While you are correct that two algorithms can measure the
strength/weakness of a password differently, the financial
responsibility is NOT ultimately with the user, but it rests
currently on the merchant and VISA/Mastercard/etc.

There is a new paradigm shift aimed to change this... but if you
think strong passwords are an "inconvenience" then wait until
3D-Secure becomes more prevalent.

http://en.wikipedia.org/wiki/3-D_Secure

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

28 Oct 2008 - 3:01pm
Santiago Bustelo
2010

We may be talking about different things here. Never said strong
passwords are an "inconvenience".

Ali Naqvi started this thread asking: "Why cant a username
'ABS_4u' have the following password 'Malemodel_14?

Strong password: for passwordmeter.com's algorithm, 'Malemodel_14'
strenght is sufficient (62%).

Inconvenience: getting your account request rejected because some an
annonymous programmer made a set of arbitrary rules that you can only
pass banging your keyboard furiously.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

28 Oct 2008 - 1:43pm
EngageMotion
2008

Amazon DOES have minimum password requirements:

>

I tried to change my current password to "easy"...

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

28 Oct 2008 - 3:30pm
Santiago Bustelo
2010

Mark Canlas wrote:
> So you would advocate letting users set blank or English-word
passwords?

I actually wrote, "I would certainly not advocate weak passwords".
But your words left me thinking and I changed my mind.

For the advocacy to work, I will need some credibility. Something as
"Certified Information Systems Security Consultant". Small print
will warn, "Certified by the Asylum for the Chronic Insane".

> what will they think when their funds are depleted by someone who
broke into their account?

"Santiago got a new beemer!"

--

Santiago Bustelo // icograma
Buenos Aires, Argentina

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

29 Oct 2008 - 6:29am
Ali Naqvi
2008

Chris wrote
'Amazon DOES have minimum password requirements:

I tried to change my current password to "easy"... '

Amazon does not tell you that you HAVE to include atleast 1 digit or
any capital letters in your password. The user experience is amazing.
One can buy items by clicking 3 times only...

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

30 Oct 2008 - 9:45am
Eva Kaniasty
2007

As always, this is a matter of when the cure is worse than the disease.

For most non-transactional websites, requiring a strong password is
overkill. In fact, having a password at all is overkill. The job
application scenario someone mentioned above is one example. Is the user
served in any way by being forced to create an account as part of a one-time
resume submission process? Nevertheless, this is quite common, and has
nothing to do with concern for user security, but rather lack of attention
to the user requirements for the task at hand.

I recently had an experience with a travel website which created an account
for me automatically using MY EMAIL only. This was an awesome user
experience. I could try out the site without having to go through the usual
cumbersome process, and an excellent example of gradual user engagement.
(The site is tripit.com).

Personally, I have a set of password which vary in strength that I use for
different types of sites. Recently I ran into the capital letter
requirement on a site, which my usual strong password does not have, and I
will never get back the time I spend having to email that password back to
myself (is that any safer?).

</end rant>

Eva Kaniasty
http://www.linkedin.com/in/kaniasty

On Wed, Oct 29, 2008 at 8:29 AM, Ali Naqvi <ali at amroha.dk> wrote:

> Chris wrote
> 'Amazon DOES have minimum password requirements:
>
> I tried to change my current password to "easy"... '
>
> Amazon does not tell you that you HAVE to include atleast 1 digit or
> any capital letters in your password. The user experience is amazing.
> One can buy items by clicking 3 times only...
>
>
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> Posted from the new ixda.org
> http://www.ixda.org/discuss?post=34957
>
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

30 Oct 2008 - 11:04am
Ali Naqvi
2008

Well said Eva... my point exactly.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

31 Oct 2008 - 4:19pm
Jean-Anne Fitzp...
2004

For those who are interested in this subject, I know some people who are
working on the problem:

http://usable.com/

Also, you might want to check out the SOUPS conference:

http://cups.cs.cmu.edu/soups/2009/

Cheers,

J.A.

1 Nov 2008 - 6:51am
Esteban Barahona
2006

i am fine with 10 case sensitive alphanumerical passwords...
if https is used (or any encryption).
one has to be user friendly... but not "enemy friendly" (easy to
crack paswords by guessing... dictionary attack).

information design
...but first architecture...

"it is all about the branding anyway".

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

1 Nov 2008 - 7:29am
Alethea778
2008

Combination of 2 buttons, like shift one letter, do increase the
hassle. In the term of action, no matter digit or letter, any button
equates each other cuz the action required are all to click once. But
regards to memory, combination of letter and digit certainly adds to
the load.

Some websites dont distinguish capital letter with normal one, in
this case neither shift button nor Caps button is needed, so there's
no combination of 2 buttons.

Password is not allowed to contain elements appear in username. This
is to avoid hackers may figure out the password just by guessing. But
if the stealer is an acquaintance, he or she may try your birthday or
some other data, which are not included in username, then what to
do?

My ponits are:

1) avoid using two buttons to type one letter or digit
2) pressing "1" equates pressing "a" cuz the action are both to
press once per se.
3) a research based on certain culture may needed to identify what
kind of passwords are easy to remember

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34957

Syndicate content Get the feed