[IxDA Discuss] Password enforcement UI - good, bad or ugly?
Thought maybe I could garner some opinions on the usability of password enforcement techniques. Recently, I've noticed a trend towards more secure passwords for many things, and that's a good idea. However, I've also noticed that certain web sites take that to an extreme, disallowing the use of any password that does not meet their criteria. Often, these criteria are also extreme. For example, one web-based product (non-financial) refused to allow me to enter a password that did not have ALL of: - at least one capital letter - at least one numeric - at least one non-alpha character - at least 8 characters Clearly, this would produce a reasonably secure password, but I'd never remember it!!! I prefer Google's approach, where a graphic indicator shows me the strength of my password, but lets me choose anything I want. Would certainly love to hear the group's thoughts on this... -- kenny kutney [EMAIL PROTECTED] Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] Password enforcement UI - good, bad or ugly?
Hey Kenny, I worked in the field (computer security) for a couple of years. In the simplest terms, the continuum is between ease of use, and security. Just as you state... the extremes are not good. Easy to use = easy to crack. Hard to crack = hard to remember. Forcing any or all of those criteria is pretty harsh unless the sit has a lot of liability. Suggesting those as 'tips' for a more secure password offers the user a lot of flexibility. Mark On Feb 19, 2008 11:33 AM, Kenny Kutney [EMAIL PROTECTED] wrote: Thought maybe I could garner some opinions on the usability of password enforcement techniques. Recently, I've noticed a trend towards more secure passwords for many things, and that's a good idea. However, I've also noticed that certain web sites take that to an extreme, disallowing the use of any password that does not meet their criteria. Often, these criteria are also extreme. For example, one web-based product (non-financial) refused to allow me to enter a password that did not have ALL of: - at least one capital letter - at least one numeric - at least one non-alpha character - at least 8 characters Clearly, this would produce a reasonably secure password, but I'd never remember it!!! I prefer Google's approach, where a graphic indicator shows me the strength of my password, but lets me choose anything I want. Would certainly love to hear the group's thoughts on this... -- kenny kutney [EMAIL PROTECTED] Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] Password enforcement UI - good, bad or ugly?
I know I was taught by a shockingly sane network engineer that the easy way to develop hard to crack passwords was to choose a regular word of the right length in your native language and then substitute number(s) and punctuation marks as appropriate and capitalize either the first or last letter. As long as you use consistent substitutions, all you have to remember is the word. So, for example, Olympics becomes 0!ymp1cS and in all my passwords O becomes 0, L becomes !, I becomes 1 and so forth. Not all users have to use the same set of substitutions, but each user needs to be consistent from one password to the next, otherwise it's yet another memory problem. Is there a problem with recommending -- perhaps on a help linked page -- such a method to users? At 2:24 PM -0500 2/19/08, mark schraad wrote: Hey Kenny, I worked in the field (computer security) for a couple of years. In the simplest terms, the continuum is between ease of use, and security. Just as you state... the extremes are not good. Easy to use = easy to crack. Hard to crack = hard to remember. Forcing any or all of those criteria is pretty harsh unless the sit has a lot of liability. Suggesting those as 'tips' for a more secure password offers the user a lot of flexibility. Mark On Feb 19, 2008 11:33 AM, Kenny Kutney [EMAIL PROTECTED] wrote: Thought maybe I could garner some opinions on the usability of password enforcement techniques. Recently, I've noticed a trend towards more secure passwords for many things, and that's a good idea. However, I've also noticed that certain web sites take that to an extreme, disallowing the use of any password that does not meet their criteria. Often, these criteria are also extreme. For example, one web-based product (non-financial) refused to allow me to enter a password that did not have ALL of: - at least one capital letter - at least one numeric - at least one non-alpha character - at least 8 characters Clearly, this would produce a reasonably secure password, but I'd never remember it!!! I prefer Google's approach, where a graphic indicator shows me the strength of my password, but lets me choose anything I want. Would certainly love to hear the group's thoughts on this... -- kenny kutney [EMAIL PROTECTED] Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help -- Katie Albers [EMAIL PROTECTED] Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] Password enforcement UI - good, bad or ugly?
The problem with this trend (and I'm seeing it as such, too, Kenny) is that it presumes that more security is always better. But in many use cases (blogs, mailing lists, software tech support), such stringent security can be ridiculous and inconvenient. Security is not just protection. It's also reassurance. Excessive protection is more aggravating than reassuring, and likely to drive people to goods and services that balance these considerations better. I like the visual and verbal indicators of password strength. They give me choice, leave me in control. I think it's best to err on the side of enlightened self-interest and leave the details of these decisions to the user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Posted from the new ixda.org http://www.ixda.org/discuss?post=26110 Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] Password enforcement UI - good, bad or ugly?
yes but passwords like those you describe are prone to hacking as they contain dictionary words that some brute force password crackers use to increase their chances of cracking passwords. On Feb 19, 2008 3:10 PM, Anthony Hempell [EMAIL PROTECTED] wrote: Another strategy is to create memorable Name/Number combinations that are part of a larger set that can be mined for almost infinite password ideas, such as: Car make / year (Cadillac77 or Mustang!56) Athlete / number (Jordan23 or Gretzky!99) etc On 19-Feb-08, at 12:00 PM, Katie Albers wrote: I know I was taught by a shockingly sane network engineer that the easy way to develop hard to crack passwords was to choose a regular word of the right length in your native language and then substitute number(s) and punctuation marks as appropriate and capitalize either the first or last letter. As long as you use consistent substitutions, all you have to remember is the word. So, for example, Olympics becomes 0!ymp1cS and in all my passwords O becomes 0, L becomes !, I becomes 1 and so forth. Not all users have to use the same set of substitutions, but each user needs to be consistent from one password to the next, otherwise it's yet another memory problem. Is there a problem with recommending -- perhaps on a help linked page -- such a method to users? Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help -- -- www.flyingyogi.com -- Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] Password enforcement UI - good, bad or ugly?
Another strategy is to create memorable Name/Number combinations that are part of a larger set that can be mined for almost infinite password ideas, such as: Car make / year (Cadillac77 or Mustang!56) Athlete / number (Jordan23 or Gretzky!99) etc On 19-Feb-08, at 12:00 PM, Katie Albers wrote: I know I was taught by a shockingly sane network engineer that the easy way to develop hard to crack passwords was to choose a regular word of the right length in your native language and then substitute number(s) and punctuation marks as appropriate and capitalize either the first or last letter. As long as you use consistent substitutions, all you have to remember is the word. So, for example, Olympics becomes 0!ymp1cS and in all my passwords O becomes 0, L becomes !, I becomes 1 and so forth. Not all users have to use the same set of substitutions, but each user needs to be consistent from one password to the next, otherwise it's yet another memory problem. Is there a problem with recommending -- perhaps on a help linked page -- such a method to users? Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help
Re: [IxDA Discuss] Password enforcement UI - good, bad or ugly?
Yeah. Depends on what your securing and from whom. Good combo is the old biometric plus passphrase plus mutating challenge-response. But 99.9 don't require it since most people will willingly give up their pw through social engineering and cmps capable of brute force are too busy reading our email. Thanks ATT! will evans user experience architect [EMAIL PROTECTED] 617.281.1281 On Feb 19, 2008, at 7:44 PM, Ari Feldman [EMAIL PROTECTED] wrote: yes but passwords like those you describe are prone to hacking as they contain dictionary words that some brute force password crackers use to increase their chances of cracking passwords. On Feb 19, 2008 3:10 PM, Anthony Hempell [EMAIL PROTECTED] wrote: Another strategy is to create memorable Name/Number combinations that are part of a larger set that can be mined for almost infinite password ideas, such as: Car make / year (Cadillac77 or Mustang!56) Athlete / number (Jordan23 or Gretzky!99) etc On 19-Feb-08, at 12:00 PM, Katie Albers wrote: I know I was taught by a shockingly sane network engineer that the easy way to develop hard to crack passwords was to choose a regular word of the right length in your native language and then substitute number(s) and punctuation marks as appropriate and capitalize either the first or last letter. As long as you use consistent substitutions, all you have to remember is the word. So, for example, Olympics becomes 0!ymp1cS and in all my passwords O becomes 0, L becomes !, I becomes 1 and so forth. Not all users have to use the same set of substitutions, but each user needs to be consistent from one password to the next, otherwise it's yet another memory problem. Is there a problem with recommending -- perhaps on a help linked page -- such a method to users? Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help -- -- www.flyingyogi.com -- Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help Welcome to the Interaction Design Association (IxDA)! To post to this list ... [EMAIL PROTECTED] Unsubscribe http://www.ixda.org/unsubscribe List Guidelines http://www.ixda.org/guidelines List Help .. http://www.ixda.org/help