His article, Stop Password Masking, has the following summary: If you need further evidence, this XKCD comics summarises the issue well:ĭr Jakob Nielsen argues that we should show most passwords as text when we type them. Microsoft also recommends avoiding complexity requirements, so despite them being a very common feature of online forms, they are hard for humans to remember. All this places unnecessary stress on your reset process.” Current research (see ‘Further reading’ below) indicates that doing so will cause people to reuse passwords across accounts, to create weak passwords with obvious substitutions or to forget their passwords. Other than the three requirements listed above, do not set restrictions on how users should create a password. Explain to users that this is what you are doing, and that this is why a password has been rejected. Screen passwords against a ‘password blacklist’ of the most commonly used passwords, leaked passwords from website breaches and common words or phrases that relate to the service. password blacklisting-do not allow your users to use a common, weak password.If you must disallow special characters (or spaces) make sure this is made clear before the user creates their password and special characters-you should allow the use of special characters, but don’t mandate it.If you absolutely must set a maximum length due to the limitations of your website code, then tell users what it is before they try to enter a password If you are correctly hashing your passwords, then the output should be the same length for every password, and therefore the only limit to password length should be the way your website is coded. password length-you should set a suitable minimum password length (this should be no less than 10 characters), but not a maximum length.“There are three general requirements for any password system that you will need to consider:
The Information Commissioner's Office in the UK provides some clear guidance on password requirements : The password reset function would therefore be used widely, which is not a great user experience.
This is a significant point of friction for users, and has a detrimental effect on UX.īaymard also highlights the fact that since a f0rm may require a complex password, a user may ‘make up’ a particularly complex one and, without a password manager, simply not be able to log in further down the line since it would be almost instantly forgotten. The first point consistent with data taken from Zuko - 50% of users return to the password field at least twice. This is the true cost of imposing more strict password requirements.” When users are forced out of using their “standard” passwords, they later on are very prone to have difficulties remembering it, and, hence, very frequently experience sign in issues on subsequent visits.While this is frequently observed, we rarely see it causing abandonments, so long as the password requirements are communicated clearly upfront. Users get frustrated with the password creation process itself.If any of them is not met, I have to choose a different password.īaymard Institute lists two potential downsides to overly strict password requirements: In the above, I have four different requirements on my password that I set.
0 kommentar(er)
