Friday, February 27, 2015

usability - Should users be allowed to use any special character they want when creating a password?


I came across a number of login configuration settings where there is a list of allowable special characters and was wondering:


Does this limitation cater for a specific security or usability need?


Example: A list of special characters supported by Oracle Identity Manager and Microsoft Active Directory for password field :


enter image description here


Update:


Thanks everyone for the generous response!



Every time I have asked a question that involves security and usability there seems to be a clear divide between proponents on each side. However this need not be as this is one area that requires a lot of compromises and trade-offs… UX depends on it!



Answer



If the user can type it then it should be allowed in their password.


Telling someone what they can and can't use in their password always feels wrong to the user. Passwords are currently the most universal way to authenticate. Preventing users from entering anything is, in essence, telling them who they can or can't be.


1. Any printable character that a user inputs should be allowed.


The following characters are okay...


'A', 'a', 'á', 'Æ', 'æ', 'Ñ', 'ñ', '-', '_', ' ' (space), '\t' (tab), '\n' (newline), ...


Just because I don't know how to submit a TAB or ENTER character as part of my password doesn't give me the right to prevent others from doing so.

(Don't worry, few people will try to submit an ENTER character as part of their password but allowing the few that do will earn their respect.)



2. Keys that don't display a printable character should not be allowed.


The reasons for this should be obvious but for completeness I will mention the following keys which can be detected but are reserved for other actions. For example, a password input shouldn't record that the shift was hit multiple times...


[ctrl], [alt], [shift], [arrow keys], [apple key], [windows key], etc.

3. Not allowing certain characters makes users question your security.


When you prevent users from putting certain characters in their password it not only annoys people but causes many of them to question what else you are doing that isn't secure.


You may as well be saying...




"Hey we don't want to fix our application to properly deal with special characters so would you mind helping us out by making your password less secure?"



The rules below will allow for secure input while preventing a user from ever getting stuck:




  • Don't show the characters that the user is typing in password fields (there are some exceptions on mobile)




  • Having the user type in their password twice is usually sufficient in letting them know that they got it right (i.e. didn't accidentally add unintended white space etc.)





  • Having a password reset mechanism is important to handle any cases of accidental lockout.




4. Encouraging a user to add more isn't the same as prohibiting characters.


One way to help a user come up with a secure password is to make a game out of it...


password strength indicator


5. The future of authentication


"The Tech That Will Kill Passwords Dead" is a pretty good gizmodo article discussing the problems we all face with passwords. It also talks about some new patterns that could possibly replace passwords one day.


Many mobile applications are starting to allow users to show or hide passwords in plain text in order to increase ease of use and remove one barrier to entry. I would still avoid this because the problem it creates is worse than the problem it solves.



Even with a very intuitive mechanism for showing/hiding a password 60% of users still say it feels wrong to see passwords in clear text.


According to that same article it appears that Touch ID is on the right track and easily wins as far as usability is concerned. Touch ID still has some major problems that make it impractical. The biggest being that it only works on select devices and has issues with one person controlling multiple accounts.


Facial recognition is another contender as an increasing number of high pixel density cameras make their way into the world but this approach often leaves people worrying about privacy.


The one problem shared by all of these new authentication attempts is this: You are the password.


It's actually a lot easier to fake who you are than what you know. In addition, once you've been compromised it's nearly impossible to change (your fingerprints for example)


Passwords are the authentication mechanism of choice for a good long while so...


Please don't place arbitrary character limitations on my password. Thanks!


No comments:

Post a Comment

technique - How credible is wikipedia?

I understand that this question relates more to wikipedia than it does writing but... If I was going to use wikipedia for a source for a res...