For a secure application, we push users to use passphrases instead of passwords. We've got some explanations in the password change page. For the field, we use the label "passphrase" to push again the user to use some.
One user wondered if people will get confused about what the “passphrase” might be.
Are those concerns real, should we really switch back to "password", or is "passphrase" a better option to help people change their habits?
EDIT: Maybe I've not been clear enough in my question. The question is about the labeling. We will use passphrases and OWASP rules in any cases. The question is "do we display 'password' for the field, or 'passphrase'?". Or "Will the user be confused to read 'username/passphrase' instead of 'username/password' on the login page?"
Answer
A recipe:
Use "passphrase". (why? - you are promoting the best practice, you may actually want to include a link to OWASP)
Add a nice little blurb to the right on why they would want the security that passphrases provide, and other security tips.
Use xkcd's "correct horse battery staple" cartoon, but disallow this passphrase.
Note: XKCD cartoons are licensed under a Creative Commons Attribution-NonCommercial 2.5 License.
No comments:
Post a Comment