How *NOT* To Do A Password Field
By @edent
· security usability · 8 comments · 400 words · read ~4,642 times.
We're all changing our passwords in the light of Heartbleed, right? Good!
If you are a developer or designer, I want to explain to you exactly how not to create a password dialogue box for your users.
We're all used to seeing this:
Input password:
This is incorrect! Why? Because it leads to this?
Input password:
ERROR! Your password must be longer than 7 characters!
Ok! Ok! I'll enter in a longer password.
Input password:
ERROR! Your password must be between 8 - 16 characters!
Grrrrrr.... ok.... how about this?
Input password:
ERROR! Your password must contain at least 1 number and special character.
I will cut you...
Input password:
ERROR! Allowed special characters are "!$%^&*".
Oh.... FFS.... Will this do?
Input password:
ERROR! I just don't like you!
GAAAAH!!!!
If you are writing a form which asks a user to enter a new password, please follow these simple guidelines:
- State your site's password requirements ON THE FRICKIN' FORM! Seriously, if you only do one thing, make it that!
- Don't let a user submit a password which doesn't meet your requirements. Use JavaScript to disable the button and highlight the text of your password policy.
- Don't impose an artificially short password length. If a user really wants a 64 or 128 or 1024 length password, let them.
- If you have to restrict the length, use maxlength in the input field.
- Do you really need to insist on special characters, upper and lower case, Roman Numerals, and Unicode emoticons? If the user really wants to be insecure, let them. If you need security - insist on using 2FA rather than complex passwords.
- How will the user know what your password requirements are? Are they hidden on a help page somewhere, or only on a pop-up after they've hit enter? Make sure they're on the page - preferably directly above the password field.
As I go through all my passwords, it's infuriating how many sites expect the user to magically know the site's Byzantine security requirements.
Remember, if you make your password field too complex, users will get frustrated and reject it.
Mastodon
Twitter
Facebook
LinkedIn
Reddit
HackerNews
Lobsters
Pocket
WhatsApp
Telegram
You should definitely state the length and warn about overlong passwords - I had a problem with a site recently when I generated a 36 char password but they (silently) only stored 30. The registration form had no maxlength but subsequent login forms did...
Actually, please do NOT have a maxlength on your password field. Instead, if the contents are too long, disable the submit button and tell me my password is too long. Why? Because I never actually type in a password. I generate a long one and copy & paste it in. And when you put a max length on the field, I think my password is FooBarBazBatAwesome, and you think my password is FooBarBazBat.... and that is going to screw me.
I've had this happen on more than one occasion. For God's sake, do not put a max length on your password field. It silently drops any characters that are too long without notifying the user that it's doing so.
Not enforcing a maximum password length might make the server vulnerable to DOS attacks so that's definitely something you should do (ie. someone could flood the site with long passwords and the hashing algorithm would hog the cpu). I agree on the other things.
I'd also add that you should state your password requirements on the login form, I need to know what stupid requirements you asked for so I can remember which password I used!
And another thing... don't disable copy-paste in the password field! This makes it super hard to use a truly secure uniquely generated password.
Every password/username/email address entry field should be long enough to display a longish text entry or the blobs representing it. If I'm entering my email address -- a mere 25 characters -- on a large screen device, I expect to see all of it. If I am doing it on a small screen device, it is easier to move display content sideways than to insert a cursor into a tiddly field and clumsily navigate.
I don't know how long (visibly) a password field should be. I'd be interested to learn whether a longer field on registration pages encourages users to enter a longer password.
And what about advice to keep passwords so secret that you never write them down? Is this really appropriate for consumers given that most IT professionals break that rule every day of the week? We all write down immemorable passwords to access third party resources and put them in the fire proof safe in a secure room. Just as there are tricks to help people create memorable passwords for resources that they use regularly, there are tricks for safely recording site name/username/password couplings.
My methodology? I write in plain text in a few books, it is in a room containing 1,000 books sprayed by my patent dust blower. Or something like that scenario.
My work passwords are written down in a Field Notes I carry around - the trick is that they're incomplete (but not obviously). Since I'm forced to change 6 or 7 every month, this is the only sane way to live.