Most of the users use weak passwords. They may use weak passwords even for services where they store sensitive information. I think it's because they don't believe that their password may be guessed/brute forced. But they may be furious if it happens. To avoid this furiosity we are going to build very strong password requirements.
I understand that most of the users may be quiet displeased with necessity of choosing strong password so I want to provide them data why they have to do it.
I thought about tooltip like:
Our service is for sensitive data. Your password is the gate to your data. If password can be guessed or brute forced by attacker, he will have full access to your account. It happened many times with other sites in the past:
[chronology of the largest password leaks (Sony, Citigroup etc.) is here]
What is the best way to inspire users to choose strong passphrase and remember them?
Edit: I was advised to use password meter.
Say, my password requirements consist of 5 rules. I think about the following meter: When user starts typing, all 5 rules are displayed next to password field in red. As soon as user types password that falls under some rule, this rule disappears from this area. As soon as all 5 rules are satisfied, word "Strong!" is displayed instead of rules in green.
However, using password meter doesn't tell user why they should use such strong password. Should I provide such info to them? If yes, in what form? Is there a way to have users not dissatisfied because of strong minimum password requirements?
What is the chance that in case if user's password will be guessed by attacker, user will blame application developers that they didn't force him to use strong password?
No comments:
Post a Comment