Create a password: how to assist the user in complying with the rules you set

23 Oct 2008 - 5:03am
5 years ago
8 replies
755 reads
R. Groot
2006

Hi all,

I'm breaking my head on the following for some time now and I hope you have
a fresh look or good experience to share.

*Scenario*
- A user needs to create password (for a new account)
- The password has to comply to two out of three certain rules (certain
length, upper- and/or lowercase letter, and number)

*My solution so far*
At this moment I use an explanatory text which tells the user what rules the
password has to comply to. But since people don't read...

Looking forward to your visions, links, experiences!

Kind regards,
Rein

Comments

23 Oct 2008 - 6:06am
darlenepike
2007

Check for each condition on every keystroke. As each new condition is
met, provide immediate feedback visually right next to the input form.
For example, start with 4 empty boxes, and with each met condition,
add a checkmark to one of the boxes.

If this is a web form, JavaScript is well-suited for the task.

That got me thinking ... How to provide immediate and non-intrusive
feedback of this kind iwhen the input is audio. The characteristic of
the feedback I described above depends on people being able to
perceive what they are entering at the same time as the response, so
locating the feedback boxes next to the input box is effective. For
voice input, the act of entering data and receiving a response seems
to require a more distinct asynchronous process: speak a letter, hear
"ok", speak a letter, hear "ok". . But could people be taught to
listen for and recognize a continuous background tone that is neutral,
but that changes pitch to indicate a conforming reply? Perhaps a bell
ding or happy chord would be the positive sound. Could be used in any
audio capable interface where you want to test for complying data
input -- I
I don't have much experience with games -- maybe the games designers
have solved this one elegantly already.

On 10/23/08, R. Groot <rein.groot at gmail.com> wrote:
> Hi all,
>
> I'm breaking my head on the following for some time now and I hope you have
> a fresh look or good experience to share.
>
> *Scenario*
> - A user needs to create password (for a new account)
> - The password has to comply to two out of three certain rules (certain
> length, upper- and/or lowercase letter, and number)
>
> *My solution so far*
> At this moment I use an explanatory text which tells the user what rules the
> password has to comply to. But since people don't read...
>
> Looking forward to your visions, links, experiences!
>
> Kind regards,
> Rein
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

--
Sent from Gmail for mobile | mobile.google.com

_____________________________________
Darlene Pike / Pike Design

Web coding for technically challenged visionaries™

web: www.PikeDesign.com
ph: 973-600-7113

23 Oct 2008 - 5:48am
Roel Beemsterboer
2008

Entering a password that complies to a lot of conditions can be quite
cumbersome for unexperienced users. It usually helps to implement
some javascript checking the password on while typing. The output
should be updated after every type and give feedback on the strength
and optionally some advice. You can find a really basic example
here:
http://phiras.googlepages.com/PasswordStrengthMeter.html

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34744

24 Oct 2008 - 3:50am
Andy Polaine
2008

Another way is to generate memorable passwords for them:http://www.ultradesign.com/support/passwordgenerator.lasso

24 Oct 2008 - 7:36am
Jim Hoekema
2004

Rein,

IMHO, you're on the right track. I find it so irritating when sites
don't tell the rules (and they're all different) until after your
first or second attempt violates them! Yes, by all means, explain the
rules in text, either laid out for all to see, or under a prompt like
a "?" or "rules." People do read, actually.

- Jim

On Oct 23, 6:03 am, "R. Groot" <rein.gr... at gmail.com> wrote:

>
> *My solution so far*
> At this moment I use an explanatory text which tells the user what rules the
> password has to comply to. But since people don't read...

24 Oct 2008 - 8:20am
Jeff Garbers
2008

On Oct 24, 2008, at 8:36 AM, JimH wrote:
> .. I find it so irritating when sites don't tell the rules (and
> they're all different) until after your first or second attempt
> violates them!

I'd like to add an appeal for password requirements to appear after a
failed logon attempt, not just when changing or entering a new
password. Letting users know those requirements may help them
remember a forced variation on a password they usually use. Not that
I'd ever use the same password on more than one system, of course, but
I hear that *some people* do that...!

24 Oct 2008 - 9:04am
DampeS8N
2008

I want to see the death of superfluous passwords.

OpenID is getting close....

Here is the thing, unless you are making bank software or software
for the government that requires lots of BS, (In which case you
should partner with another password provider and authenticate
through them, like the army CORE authenticates through AKO.) Don't
HAVE rules for your passwords.

Salt the passwords to protect your databases, code properly so if
someone breaks into an account they can't break into your system at
large, and otherwise try to minimize the damages.

But it is unacceptable to put that burden on the user.

Passwords aren't any more-or-less secure than other methods, like a
combination of remembering IP addresses, using other personal data
for login and requiring extra steps when things don't line up.

Try this:

When a user creates an account, log their IP. In today's broadband
world, IP is pretty stable. So most users won't need to do extra
steps to prove who they are.

Use personal info like their email address. name, or whatever as
login creds. They aren't going to forget this stuff, and it is
unlikely that their name will change.

Here is the thing, when anything doesn't line up, go to stage two.

Remember those security type questions? Toss them out. Here is what
you ask:

What is your cell phone number?
What is your home phone number?
What is the street you live on?
What is your mother's first name?
What is your father's first name?
What is your birthday?
Where were you born?

Ask only these questions, but ask all of them. If they get more than
5 wrong, it fails. And if they get 3 to 5 wrong. Go to step 3. Also,
log any inconsistent answers and depending on how they handle step 3,
or if they got 2 or less wrong, we are going to add them to the list
of acceptable answers.

Step 3, you send an e-mail to their address and provide them with a
phone number to call if you can afford to do that.

They can then authenticate using their account-email, in which case
their wrong answers become right answers. (for some questions they
are replaced, others they are added to the list.)

So the system will authenticate on things that are simple and already
remembered for most people to begin with. It will ask questions that
have concrete answers that for the most part never change, and when
they do change, and the user answers them differently, then in falls
onto e-mail verification.

Can this system be hacked? Sure. But here is the deal, it won't let
a hacker log in as someone unless they are using that person's IP
AND know their creds. Which means they know who they are attacking,
and that means you can't stop the attack with a perfect password
anyway, since that user most likely saved the password into their
keychain anyway.

If the attack is coming from afar, it is more secure than a password.
Since you'd have to crack open what amounts to a e-mail shaped
password, and a 7 word dictionary password. Which is like if I made
my password this: donkeybuttercangearspeopleverifyempire Which is an
extraordinarily secure password.

And, it will only progress to step 3, email verification, if they can
guess 3 of those questions. Not impossible, but considering all any
other system will do is let the hacker request an e-mail right away,
if they hacked that e-mail address, they are in.

In this system, they have to guess 3 of the questions before it can
do that.

This is just something I thought up now. I'm sure there are many
solutions to this problem that don't force the user to remember
garbage.

Will

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=34744

24 Oct 2008 - 11:31am
j.scot
2008

I rather like the reminder question and answer that users write
themselves as a first measure after the first failed login attempt...
I also like, in the event of a subsequent failure, the "we'll email
you a link to reset your password" approach, which, combined with IP
logging and the series of identity verification questions (e.g.,
mother's maiden name, street lived on when born, etc.) works well
without compromising too much. Correct answers to even more
verification questions could allow the user to specify a new email
address (but not preclude a warning/notice message to the old address,
of course) in the event they no longer have access to the email
account used when they set up an account on your system.

I don't like using phone numbers and such for verification questions
(well, for anything other than banking and the like) because it's
dependent upon keeping the account up to date (and you generally do
keep these up to date).. otherwise you have to remember what phone
number you used (did I use my work number, and if so which one -- I
have three.) Same goes for street address and the like. your favorite
color can change over time. the name of your first pet, or street your
parents lived on when you were born won't.

.02

On Oct 24, 2008, at 6:20 AM, Jeff Garbers wrote:

On Oct 24, 2008, at 8:36 AM, JimH wrote:
> .. I find it so irritating when sites don't tell the rules (and
> they're all different) until after your first or second attempt
> violates them!

I'd like to add an appeal for password requirements to appear after a
failed logon attempt, not just when changing or entering a new
password. Letting users know those requirements may help them
remember a forced variation on a password they usually use. Not that
I'd ever use the same password on more than one system, of course, but
I hear that *some people* do that...!
________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss at ixda.org
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

27 Oct 2008 - 10:25am
Juan Lanus
2005

At any given moment, Bart Simpson could be able to answer all the asked
questions to impersonate his father and purchase online an expensive Tommy &
Daly relique.

As of the IP, in the company I work for we are hundreds, and we all share
the same IP, or few IPs. It's at home that we share a public IP number among
a few users.

On the other hand, secure passwords are made of not only the 26 alphabet
lowercase letters but also the 26 uppercases and the 10 digits and the
keyboard shifting needed to change case. This shifting difficults the work
of one that´s looking over your shoulder while you type. I get good security
marks for passwords like "ILikeThisOneSince2008".

As of the original request, displaying the rules is a must. I'd show a
bulleted list and would change to light gray the rules already complied to.
The wording of these texts has to be done with extreme care to make them
illustrative but not lengthy, prefer synthesys before completness.
As of the 2 out of 3, I'd slap an "ACCEPTED" banner when appropriate.
Also, I'd show several examples of compliant passwords to stimulate the shy
users.
--
Juan Lanus

On Fri, Oct 24, 2008 at 2:31 PM, J. Scot Angus <scot at nicetempo.com> wrote:

> I rather like the reminder question and answer that users write themselves
> as a first measure after the first failed login attempt... I also like, in
> the event of a subsequent failure, the "we'll email you a link to reset your
> password" approach, which, combined with IP logging and the series of
> identity verification questions (e.g., mother's maiden name, street lived on
> when born, etc.) works well without compromising too much. Correct answers
> to even more verification questions could allow the user to specify a new
> email address (but not preclude a warning/notice message to the old address,
> of course) in the event they no longer have access to the email account used
> when they set up an account on your system.
>
> I don't like using phone numbers and such for verification questions (well,
> for anything other than banking and the like) because it's dependent upon
> keeping the account up to date (and you generally do keep these up to
> date).. otherwise you have to remember what phone number you used (did I use
> my work number, and if so which one -- I have three.) Same goes for street
> address and the like. your favorite color can change over time. the name of
> your first pet, or street your parents lived on when you were born won't.
>
> .02
>
>
>
> On Oct 24, 2008, at 6:20 AM, Jeff Garbers wrote:
>
> On Oct 24, 2008, at 8:36 AM, JimH wrote:
>
>> .. I find it so irritating when sites don't tell the rules (and they're
>> all different) until after your first or second attempt violates them!
>>
>
> I'd like to add an appeal for password requirements to appear after a
> failed logon attempt, not just when changing or entering a new password.
> Letting users know those requirements may help them remember a forced
> variation on a password they usually use. Not that I'd ever use the same
> password on more than one system, of course, but I hear that *some people*
> do that...!
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>
> ________________________________________________________________
> Welcome to the Interaction Design Association (IxDA)!
> To post to this list ....... discuss at ixda.org
> Unsubscribe ................ http://www.ixda.org/unsubscribe
> List Guidelines ............ http://www.ixda.org/guidelines
> List Help .................. http://www.ixda.org/help
>

Syndicate content Get the feed