Comments on: stu.pid.us password usability is.su.es

By: delizade

delizade — Fri, 04 Jul 2008 09:11:55 +0000

hahaha!!!!(ironic)

off course you are extremely right…just reading that story made me angry,i can’t think living it.

hard to understand/accept this stuation for that reason…this is DELICIOUS!

By: David Arno

David Arno — Wed, 02 Jul 2008 12:40:24 +0000

@Aral: I disagree that is it a WUI expectation that one can choose any password one likes unless given specific restriction criteria. People do not read what is in front of their noses. Thus it is better to keep the amount of information presented to them to a minimum, to maximise the chances of them reading it. Scold is too strong a word for what I was describing. And from my experience, allowing them to enter what they like, and then advising them that it wasn’t good enough leads to far less frustration than scolding them for failing to read the instructions.

By: Shane Conder

Shane Conder — Fri, 27 Jun 2008 23:42:24 +0000

I totally agree that the strength of the password should match the site — but it should also be under the users control. For instance, I use a pretty strong password algorithm to come up with passwords that I can actually remember — and it often generates long passwords. Sadly, some sites don’t allow the result. Why? Not enough numbers. No caps. Used a letter twice. It’s very frustrating. What’s also odd is that putting restrictions on actually reduces the brute force search space from all possibilities to only some.

Interestingly, if there was an option for, “I know what I’m doing.” that allowed you to have a password that breaks the rules your password would actually be stronger since it’s not even technically supposed to be valid.

Even worse, though, are sites that want a password between 6 and 8 characters. There are a few I’ve run in to — I can never get my password right on them so I always have to reset. A complete pain!

I’m not sure I totally agree with Toby, either. Del.icio.us does store private URLs — but if they’re sensitive, they’d have their own protection — just how sensitive can a URL get? I wouldn’t want everyone seeing mine, but any password is good enough…

By: Ronny

Ronny — Fri, 27 Jun 2008 22:28:18 +0000

I happen to encounter a lot of those bad practice validations systems.
I can’t understand how application designers/developers don’t think about this…

By: Toby

Toby — Fri, 27 Jun 2008 18:43:39 +0000

It’s a fair point, and I used to agree with you entirely. If you and I were the only users of the internet, there’d be no need for password restrictions. We understand proportional security and how to use it appropriately.

However, I’ve seen far too many accounts compromised because the users registered “password” or their username as their password. No amount of hacking prevention is going to keep those accounts secure as they blithely store all sorts of personal information. At least the password stuck to the monitor requires physical access.

The requirements aren’t terribly onerous - most passwords should be 6 characters, have a non-letter in them and not be basically your username. The vast majority of people use a single password, so trying to move them to this minimal security level would be a good thing.

I suspect you wouldn’t have thought twice about it if we’d had the requirements posted. That was a big error, and one we’ve rectified. Thanks for bringing it to our attention.

By: Aral

Aral — Fri, 27 Jun 2008 10:14:47 +0000

@Toby: Ah, cool, glad to hear you guys will be adding instructions to the page.

Re: strong passwords. I still think that the currently policy is overkill for the application. The weakest link in online security is not password strength but the human being with the password. If your password policy means that people cannot remember their passwords, they are going to write them down somewhere and that’s going to be the weakest link in the chain. (I’ve seen passwords on Post-it notes stuck to monitors — good, honest, strong passwords — completely compromised.)

By: Aral

Aral — Fri, 27 Jun 2008 10:10:15 +0000

@David: Much of user interaction design is managing expectations and communicating clearly. As such usability in web applications is a function not only of the expectations created by your own application but of also of user expectations for Web User Interfaces (WUIs) in general. It is a WUI expectation that you can choose any password you like _unless_ you are given specific criteria that you must adhere to. (This expectation may work slightly differently for different types of apps — if you are signing in to a bank, you will _expect_ a higher level of security. del.icio.us’s password policy falls into this category without the attached psychological expectation, creating a impedance mismatch in expectations.)

Regarding your comment on the UI mock I presented: It is _never_ a good practice to scold a user without giving them clear instructions unless you are meeting a commonly-shared expectation in a standard manner. (See my post from a while back on User Interface Design Principles for Web Applications).

By: Kristof Elst

Kristof Elst — Fri, 27 Jun 2008 09:39:28 +0000

I think website owners should let people pick any password they like. If you enforce passwords on someone, they’ll probably write it down and stick it on their office monitor.

Sitebuilders should prevent password hacking instead of putting the responsibility with the user.

By: Toby

Toby — Thu, 26 Jun 2008 18:39:53 +0000

Our bad. We had the requirements up on the registration page, but forgot to put them on the password change page.

As for weak passwords, because we have the ability to save non-public data, we have some requirements in place to protect the users who choose to use those features. And yes, they should know better than to use a weak password, but not all users are there yet!

By: Shunjie

Shunjie — Thu, 26 Jun 2008 15:04:52 +0000

Thats the very same reason I don’t use stu.pid.us del.icio.us anymore, I cannot remember my password most of the time. Hack, google bookmark works for me since I am always in Gmail

Cheers,
Shunjie