WebAIM - Web Accessibility In Mind

E-mail List Archives

Re: Password Rules - Impact on Users with Cognitive Disabilities

for

From: Pooja.Nahata@cognizant.com
Date: Oct 28, 2014 1:47PM

Thanks Jonathan and Mallory for your inputs.

One more thought - WCAG 2.0 doesn't have any S.C that relates to how password rules should be set, WCAG guides more on the implementation side.

Regards
Pooja Nahata


-----Original Message-----
From: <EMAIL REMOVED> [mailto: <EMAIL REMOVED> ] On Behalf Of Jonathan Avila
Sent: Tuesday, October 28, 2014 6:44 AM
To: WebAIM Discussion List
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

> along with your text description, an example password

I was thinking the same thing. Perhaps though the system should reject the example password as not acceptable as people may be inclined to just use that.

Jonathan

-----Original Message-----
From: <EMAIL REMOVED> [mailto: <EMAIL REMOVED> ] On Behalf Of Mallory van Achterberg
Sent: Tuesday, October 28, 2014 5:23 AM
To: <EMAIL REMOVED>
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

On Mon, Oct 27, 2014 at 08:54:10PM +0000, <EMAIL REMOVED> wrote:
> Password Must be 8 - 20 characters. Must include at least one lower-case letter and one number. No symbols may be used. Cannot be one of six previous passwords.
>
Might be. In general, people understand examples better than text descriptions, so along with your text description, an example password (with each point maybe drawn with an arrow to it) would help more people.

Nielsen has suggested that the hiding of passwords is a UX anti-pattern and so you may possible want to consider not using the type="password", if that's an option. Typing on a keyboard while keeping a bunch of rules straight in your head and then not being able to see what you've typed is really hard, even without cognative disability.

Also, adding a dynamic Javasctipt hint near the input may also help.
For example, listening for the oninput event, check the string and see if it's missing one of the demands, like a special character or something uppercase, and suggest it. I've never done this, but I like the idea, similar to the dynamic password-strength "meters" some forms use, except more specific.

_mallory
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.