Usability of using Special Characters in System-Generated One-Time Passcodes
20 Aug 2005 - 11:31pm
10 years ago
I am looking for usability concerns and guidelines regarding the use of
special characters in system-generated password codes. Any comments or
examples are appreciated.
Here's the situation: A system-generated code is sent to the user via e-mail
so he/she can type it or copy and paste it when going through the process of
obtaining a digital identity. A second system-generated code must be
delivered to the user by a supervisor, person-to-person, which may be by
phone call or also by e-mail. These are one-time use codes only.
Obviously, there are general guidelines regarding special characters in
passwords from the security aspect. However, from the usability perspective,
I am looking to address if there are issues with some special characters
when delivered by e-mail or voice and the user must then enter the password
or copy-and-paste it.
Currently, the password codes include A-Z, 1-9 and exclude 1, I, 0, O, Q, V,
and W. Potential special characters include: %, &, *, +, =,?, #, @, /, \, (,
and ). The goal is to increased randomness that will allow the password
codes to be shortened. The tradeoff is more complexity vs. a a shorter code.
For instance, I would not recommending using the forward slash (/) or
backward slash (\), since they are so similar and they are also difficult to
describe by voice.