Best Practice - Display password parameters on the login page?

25 Oct 2011 - 4:18pm
3 years ago
9 replies
1720 reads
LFrancis
2009

Hi,

For a log in process where people may not log in often, does it make sense to place the password parameters (such as: Minimum six characters, maximum 20 characters) as help text adjacent to the password field? Or, would that be more of a security risk then a benefit to people trying to remember their password?

What do you IXDers think?

Thanks!

Linda

Comments

25 Oct 2011 - 9:12pm
martinsz
2011

Hi Linda, I don't think your decreasing security by showing that information, since in the worst case it can be discovered by analyzing the javascript form validations for the password on the register page.

I think it will seem helpful to say something like "Your password is between 6 and 20 characters long and it might include numbers and symbols. Have you forgot password?"

But I'm not really sure that by reminding people about the length of the password you're actually helping them remember the password, I think memory works by association and it's not that the brain can filter words that are too short and words that are too long to serve as a password, I mean, it can do that, but if it already has a list of possible candidates and some are long and some are short.
In my case, most of my passwords would fit the definition I wrote above and it will not help me distinguish which password I should write there.
I hope this was useful.
Martín.

26 Oct 2011 - 7:32am
mattinteractive
2010

It's generally bad practice (because it's a security risk) to provide any information about the username/password standards for a public facing login screen. However, it's improbable that a hint such as "Minimum six characters, maximum 20 characters" would be helpful to an intrusion -- and come to think of it a hint such as that would probably not be that helpful to an authorized user either!

I think an easy-to-use password reminder (i.e. "Forgot password?") process is more ideal -- and more standard. Some users appreciate not having to go back into their email inbox to retrieve a password reminder. So as alternative, answering a single or series of security questions would also work well.

27 Oct 2011 - 4:21pm
penguinstorm
2005

It's generally bad practice (because it's a security risk) to provide any information about the username/password standards for a public facing login screen

It's ridiculously easy to find out. As has been pointed out you can often read client side verification scripts. Even more easily, you can find them out by setting up an account and viewing error messages since those error messages are going to display paramaters (unless you think it's usable to just keep saying "sorry your password isn't good enough: try again" you're going to display something more specific.)

Unless security is your *primary and only* concertn, you're probably better off displaying them than you are annoying the heck out of users by repeatedly rejecting passwords. Most users have enough trouble finding and remembering them anyway.

27 Oct 2011 - 7:07am
Jochen Wolters
2010

Linda,

I don't think that displaying that kind of information will have a major impact on the site's security, but I also agree with Martin and Matt that it won't be all that helpful for remembering a forgotten password either.

I second Matt's suggestion of adding a "Forgot your password?" link close to the password field, which can either bring up some questions defined by the user -- "What's was your first pet's name?", etc. -- or guide her through an email-based recovery process.

As a quick and friendly reminder: It is essential to display all relevant information about a password's format during the registration process, though.

There are countless sites out there that reveal this information bit-by-bit only after you enter an invalid password. It may start with "Your password needs to be between 6 and 20 characters long.", followed by, "Your password must contain at least one numeric digit", and next up is the dreaded "Your password must not contain special characters", which message, of course, does not explicitly list which characters are allowed, etc.

It makes registering for a site so much less painful if that information is presented in its entirety to the user right from the start.

Regards,

Jochen.

27 Oct 2011 - 8:05am
GeoffWill
2010

I think the discussion has moved to consider two different scenarios. The original question dealt with people who already have a password and who visit the site and may have trouble remembering it.

The discussion seems to have shifted to include new password creation, where password parameter information would definitely be useful

I've worked on these issues with an AT&T B2C site and with Microsoft TWC for several products . Because the guidance is very general, I doubt that it is a security risk. The hackers are going to use programs that explore a wide range of possibilities. I doubt that they set parameters on their tools for info on the site.

I don't think the parameter info will help the user at the logon stage. They either remember or have a record of the password or they don't. If they don't remember it, they have to go to backup authentication via "Forgot your password." At that point the pw info is not relevant, they will be relying on a question and its cues, or will be given a secure reset procedure.

At new password creation, the parameter info is a great idea. Also relevant is a strength indicator. You may wish to consider a cue to add a number or special character, or even a password checker that checks the pw against a dictionary program, which is one of the tools the hacker will use.

enjoy geoff

-----Original Message----- From: LFrancis Sent: Tuesday, October 25, 2011 6:39 PM To: gwbando@msn.com Subject: [IxDA] Best Practice - Display password parameters on the login page?

Hi,

For a log in process where people may not log in often, does it make sense to place the password parameters (such as: Minimum six characters, maximum 20 characters) as help text adjacent to the password field? Or, would that be more of a security risk then a benefit to people trying to remember their password?

What do you IXDers think?

Thanks!

Linda

27 Oct 2011 - 8:44am
Dana Chisnell
2008

Linda,

  Your users will like you better if you do what you're suggesting. And that will make them feel like authenticating is easier on your site.

  In research I've been doing about usable security over the last couple of years, people consistently complain that the rules for passwords are different from site to site, app to app, etc. and that if the rules were explicit, things would be a lot easier.

  For a password that is used infrequently, you'd be helping remind people that your site is either one of those they used their standard password for (because nearly everyone has a schema where they try to use the same 1-4 passwords for everything), or a site where they had to generate a special password. If it's a special password, they've either written it down somewhere or have forgotten it -- or it has expired. And that's when you need the friendly 'Forgot your password?' link.

  You're not introducing additional security risk. An attacker has all kinds of automated ways of trying to break passwords. If someone is shoulder surfing, they don't care about what the password rules are. They're just going to try to get the password out of the person some other way.

Dana

 

27 Oct 2011 - 10:41am
LFrancis
2009

Thank you all for your considered comments. The consensus definitely seems to be that it doesn't pose a significant security risk. However, most of you felt it wasn't really of value to people during the login process. We definitely have the parameters specified on screen during the registration process.

Dana, I wholeheartedly agree with your comments. You outline exactly the concern I had. I have different combinations of similar passwords to accommodate length (and dislike having to do so). This application has infrequent login, so contemplating people may not have their password at the top of their mind and wanted to provide all help possible to prevent them having to use a forgot password routine. I think the forgot password, ideally should be a last resort, not a predicted step.

This site deliberately allows any typable character and a generous length to enable a wide range of passwords, whatever people come up with. I do not believe in"forcing" people to have certain characters in their passwords. I believe this practice leads to people straying from their comfort zone for passwords and, most dangerously having to write down the password you "forced" them to create due to the best intentions in helping them create a secure password. At that moment, one of the most egregious breaches in security has happened.

Once again, thanks to everyone for you time to contribute your thoughts on this topic.

Linda

27 Oct 2011 - 1:17pm
hassan.schroede...
2009

I'm really glad to hear Linda speak out for a sane password format policy. For those who still think there's value (other than "security theater") in mandating goofy random strings as passwords:

http://xkcd.com/936/

Please bookmark to pass along to your developers  :-)

 

27 Oct 2011 - 2:19pm
LFrancis
2009

Still chuckling...thanks Hassan one day we can all form a united front and introduce some sanity to the whole password and user ID (don't get me started on that one) experience.

Definitely passed along.

Cheers!

Linda

Syndicate content Get the feed