On Passwords and Security
by James
This tweet from Saul Kaplan got me thinking: there are really two ways of looking at passwords.
Developers, geeks, and the security conscious think like this:
I need to protect this website/application so criminals don’t steal my personal details, bank account number, or email address. I should choose something secure: preferably a random collection of letters, numbers, and symbols. Plenty of websites store passwords as plain text, too, so I should pick a password that’s unique. I won’t be able to remember it, but my browser/keychain can handle that and the website/application will be much more secure.
Ordinary users think of passwords like this:
I have to type something into this box to make the website work. I’ll type “12345″: that’s easy to remember.
This is a problem.
Most ordinary users are aware of security as a vague, secondary concern: “someone might take my credit card details” or “emails can contain bad stuff”. Most ordinary users do not see passwords as a key part of security, and even if they do, they don’t really understand the implications of choosing a bad one.
To ordinary users, a password is not a security feature: it’s a hurdle to be jumped before they can do what they want to do.
How do we combat this? I don’t know. The tough option would be to check password strength and force users to choose a strong password. In the same way that websites validate email addresses on signup forms, they could validate passwords too.
Imagine if, in HTML5, you could do this:
Where “secure” is some attribute that requires the browser to validate the strength of the password” (alert message “The password you chose is too weak: please pick another”).
I don’t know how well-recieved this would be by users. At the moment, there is a slight attempt to encourage users to understand the importance of strong passwords, but this is second- or third-hand information to most users, at best.
As developers, we have a responsibility to help users understand the importance of passwords. I do it all the time, but I’ve come to think that a simple password field (with no validations) isn’t enough. Something needs to change.
On a related note: an old blog post I wrote about the tiered password schemes so many people use and why they’re FAIL.
http://weblog.masukomi.org/2009/02/26/why-your-tiered-password-scheme-is-flawed-and-what-to-do-about-it
@masukomi
You make a good point / even tiered passwords are bad / when will people learn?
In HTML5 you can specify a “pattern” attribute on input fields, a regular expression which must be matched by the value entered. You could use this to force a certain level of password security.
Yeah, I was thinking about the “pattern” attribute when I wrote this, and wondering whether it would be easy to come up with a good, memorable regexp to validate passwords.
I think that most developers would just not use it. The simpler the solution, the better.