We're all changing our passwords in the light of Heartbleed, right? Good!
If you are a developer or designer, I want to explain to you exactly how not to create a password dialogue box for your users.
We're all used to seeing this:
This is incorrect! Why? Because it leads to this?
ERROR! Your password must be longer than 7 characters!
Ok! Ok! I'll enter in a longer password.
ERROR! Your password must be between 8 - 16 characters!
Grrrrrr.... ok.... how about this?
ERROR! Your password must contain at least 1 number and special character.
I will cut you...
ERROR! Allowed special characters are "!$%^&*".
Oh.... FFS.... Will this do?
ERROR! I just don't like you!
If you are writing a form which asks a user to enter a new password, please follow these simple guidelines:
- State your site's password requirements ON THE FRICKIN' FORM! Seriously, if you only do one thing, make it that!
- Don't impose an artificially short password length. If a user really wants a 64 or 128 or 1024 length password, let them.
- If you have to restrict the length, use maxlength in the input field.
- Do you really need to insist on special characters, upper and lower case, Roman Numerals, and Unicode emoticons? If the user really wants to be insecure, let them. If you need security - insist on using 2FA rather than complex passwords.
- How will the user know what your password requirements are? Are they hidden on a help page somewhere, or only on a pop-up after they've hit enter? Make sure they're on the page - preferably directly above the password field.
As I go through all my passwords, it's infuriating how many sites expect the user to magically know the site's Byzantine security requirements.
Remember, if you make your password field too complex, users will get frustrated and reject it.