Hmm, I need to log in again to del.icio.us after clearing out my passwords. I wonder why my regular passwords don't work... oh well, time to start the forgotten password process.
The stu.pid.us password usability is.su.es article by Aral Balkan, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 2.0 UK: England License.
Cool, got the email and now I'm on the site -- this should be simple:
I enter a weak password -- this isn't too important an account after all. Submit.
What's this? It's too short? Well why didn't you tell me on the first screen? Mumble, grumble... I type a longer password. Submit.
Aaaaaaaaargh!!! You fool!
- Why does a simple social bookmarking service need such strong passwords?
- If you do need them, give people the criteria on the first screen!
This is how the form should look:
I love you, del.icio.us -- please fix this!
The stu.pid.us password usability is.su.es article by Aral Balkan, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 2.0 UK: England License.
I often havd/had this problem, f.e. i had to clear privacy data from time to time because of debugging. 2-3 months ago a friend of mine send me a recommendation to a tool (KeePass) which is simple and safe(copy pwd to clipboard on doubleclick and delete pwd automatically after some minutes). I love it.
Hey, found you through the Friendfeed Share Google Items group. I never even knew del.icio.us demanded numerics or symbols in pws. Still, it could be worse. I tried signing on for some new service (xopp, xoopt?) with an invite code, got told the same bs about pws, and then had to go through the entire form again, only to be told my invite was invalid. Some people never get it right.
I think this is a common problem, maybe people likes saving screen spaces by not showing a few paragraphs regarding the password criteria. :)
Windows domain log-on have the same issue, mainly when the network administrator remembers to put some criteria like at least 8 characters with special number and symbols and different cases and not equals to the previous 5 passwords you typed.
Sometimes I just prefer the system generate me the freaking password than wasting my time to try out some new combinations!
I’m not sure I agree with Aral here. His new version is noisier than the first. That extra noise is only justified if:
1. A significant number of first attempt passwords failed to meet the criteria.
2. The new message is actually read, understood and obeyed by those people resulting in fewer failed passwords.
If either of these tests fail, then there is no justification for the more complex version.
A far better solution would be to add JavaScript code that tests the password for compliance and pops up a warning when the first password field loses focus and the password isn’t good enough.
Thats the very same reason I don’t use stu.pid.us del.icio.us anymore, I cannot remember my password most of the time. Hack, google bookmark works for me since I am always in Gmail ;)
Cheers,
Shunjie
Our bad. We had the requirements up on the registration page, but forgot to put them on the password change page.
As for weak passwords, because we have the ability to save non-public data, we have some requirements in place to protect the users who choose to use those features. And yes, they should know better than to use a weak password, but not all users are there yet!
I think website owners should let people pick any password they like. If you enforce passwords on someone, they’ll probably write it down and stick it on their office monitor.
Sitebuilders should prevent password hacking instead of putting the responsibility with the user.
@David: Much of user interaction design is managing expectations and communicating clearly. As such usability in web applications is a function not only of the expectations created by your own application but of also of user expectations for Web User Interfaces (WUIs) in general. It is a WUI expectation that you can choose any password you like _unless_ you are given specific criteria that you must adhere to. (This expectation may work slightly differently for different types of apps — if you are signing in to a bank, you will _expect_ a higher level of security. del.icio.us’s password policy falls into this category without the attached psychological expectation, creating a impedance mismatch in expectations.)
Regarding your comment on the UI mock I presented: It is _never_ a good practice to scold a user without giving them clear instructions unless you are meeting a commonly-shared expectation in a standard manner. (See my post from a while back on User Interface Design Principles for Web Applications).
@Toby: Ah, cool, glad to hear you guys will be adding instructions to the page.
Re: strong passwords. I still think that the currently policy is overkill for the application. The weakest link in online security is not password strength but the human being with the password. If your password policy means that people cannot remember their passwords, they are going to write them down somewhere and that’s going to be the weakest link in the chain. (I’ve seen passwords on Post-it notes stuck to monitors — good, honest, strong passwords — completely compromised.)
It’s a fair point, and I used to agree with you entirely. If you and I were the only users of the internet, there’d be no need for password restrictions. We understand proportional security and how to use it appropriately.
However, I’ve seen far too many accounts compromised because the users registered “password” or their username as their password. No amount of hacking prevention is going to keep those accounts secure as they blithely store all sorts of personal information. At least the password stuck to the monitor requires physical access.
The requirements aren’t terribly onerous – most passwords should be 6 characters, have a non-letter in them and not be basically your username. The vast majority of people use a single password, so trying to move them to this minimal security level would be a good thing.
I suspect you wouldn’t have thought twice about it if we’d had the requirements posted. That was a big error, and one we’ve rectified. Thanks for bringing it to our attention.
I happen to encounter a lot of those bad practice validations systems.
I can’t understand how application designers/developers don’t think about this…
I totally agree that the strength of the password should match the site — but it should also be under the users control. For instance, I use a pretty strong password algorithm to come up with passwords that I can actually remember — and it often generates long passwords. Sadly, some sites don’t allow the result. Why? Not enough numbers. No caps. Used a letter twice. It’s very frustrating. What’s also odd is that putting restrictions on actually reduces the brute force search space from all possibilities to only some.
Interestingly, if there was an option for, “I know what I’m doing.” that allowed you to have a password that breaks the rules your password would actually be stronger since it’s not even technically supposed to be valid.
Even worse, though, are sites that want a password between 6 and 8 characters. There are a few I’ve run in to — I can never get my password right on them so I always have to reset. A complete pain!
I’m not sure I totally agree with Toby, either. Del.icio.us does store private URLs — but if they’re sensitive, they’d have their own protection — just how sensitive can a URL get? I wouldn’t want everyone seeing mine, but any password is good enough…
@Aral: I disagree that is it a WUI expectation that one can choose any password one likes unless given specific restriction criteria. People do not read what is in front of their noses. Thus it is better to keep the amount of information presented to them to a minimum, to maximise the chances of them reading it. Scold is too strong a word for what I was describing. And from my experience, allowing them to enter what they like, and then advising them that it wasn’t good enough leads to far less frustration than scolding them for failing to read the instructions.
hahaha!!!!(ironic)
off course you are extremely right…just reading that story made me angry,i can’t think living it.
hard to understand/accept this stuation for that reason…this is DELICIOUS!