James Wilding's Weblog

HTML has just reached a major milestone with the publication of six working drafts of the markup language’s specification (via).

Despite being technical documents, these specs also make for interesting reading if you’re at all curious about the evolution of the web’s mother tongue. A great place to start is the history of HTML in the main HTML5 spec: there’s some detail here about how HTML5 came to be, as well as some brief information about the aborted XHTML2 effort. This section helps you understand why HTML5 exists at all.

Next, you’ll want to know what elements are available for HTML5 authors: for this, start with “The elements of HTML” (again, in the main spec). This section lists HTML5′s tags and explains how to use them; new tags such as section, nav, article, and aside are covered here.

As a web developer, you’re going to be writing HTML5, so also read “The HTML syntax” for more detail on how HTML5 documents should be structured. The section called “Writing HTML documents” is especially useful, and includes information on the doctype (previously important but now “a mostly useless, but required, header”).

If you’re put off by technical language, be reassured that the spec makes an effort to be readable by humans too: after the spec for doctype syntax, for example, we get this summary:

In other words, <!DOCTYPE HTML>, case-insensitively

Despite all the HTML5 websites out there, I think it’s really important for developers to go to the source and read the original spec: it’s surprisingly accessible, and even glancing at it will help you understand where HTML5 is coming from.

This tweet from Saul Kaplan got me thinking: there are really two ways of looking at passwords.

Developers, geeks, and the security conscious think like this:

I need to protect this website/application so criminals don’t steal my personal details, bank account number, or email address. I should choose something secure: preferably a random collection of letters, numbers, and symbols. Plenty of websites store passwords as plain text, too, so I should pick a password that’s unique. I won’t be able to remember it, but my browser/keychain can handle that and the website/application will be much more secure.

Ordinary users think of passwords like this:

I have to type something into this box to make the website work. I’ll type “12345″: that’s easy to remember.

This is a problem.

Most ordinary users are aware of security as a vague, secondary concern: “someone might take my credit card details” or “emails can contain bad stuff”. Most ordinary users do not see passwords as a key part of security, and even if they do, they don’t really understand the implications of choosing a bad one.

To ordinary users, a password is not a security feature: it’s a hurdle to be jumped before they can do what they want to do.

How do we combat this? I don’t know. The tough option would be to check password strength and force users to choose a strong password. In the same way that websites validate email addresses on signup forms, they could validate passwords too.

Imagine if, in HTML5, you could do this:

Where “secure” is some attribute that requires the browser to validate the strength of the password” (alert message “The password you chose is too weak: please pick another”).

I don’t know how well-recieved this would be by users. At the moment, there is a slight attempt to encourage users to understand the importance of strong passwords, but this is second- or third-hand information to most users, at best.

As developers, we have a responsibility to help users understand the importance of passwords. I do it all the time, but I’ve come to think that a simple password field (with no validations) isn’t enough. Something needs to change.