WebAIM - Web Accessibility In Mind

E-mail List Archives

Re: Password Rules - Impact on Users with Cognitive Disabilities


From: Birkir R. Gunnarsson
Date: Oct 29, 2014 6:31AM

I think password hiding is important, so passwords should be hidden by default.
However it would be a great UX improvement to offer users the change
at seeing their passwords as they type then (provide a "see my
password as I type" button or checkbox next to the password field).
I have seen graphics depicting the password strength that are
populated as you type.
You could have bullets such as
"password is at least 8 characters" that could change shape /color/alt
text as the password reaches its desired length
Another for "password must have one non-alphanumeric character"
You, of course, are unable to test if password is one of users
previous passwords, but if these graphics can help the user realize
what conditions he has met and which are still left.
Also informative error messages can help here.
I have sometimes wanted to have something like this as a user, though
one must take care to make them accessible whilst not overly verbose.
I am not saying one has to do this, and not doing it would be a WCAG
violation. The relevant success criterion is 3.3.2 )labels or
instructions), or if these clues are given using color or graphics
they must meet 1.4.1/1.1.1.
But 3.3.2 S.C. does not require you to go to these lengths to help
users, it is just good user design.


On 10/28/14, <EMAIL REMOVED> < <EMAIL REMOVED> > wrote:
> Thanks Jonathan and Mallory for your inputs.
> One more thought - WCAG 2.0 doesn't have any S.C that relates to how
> password rules should be set, WCAG guides more on the implementation side.
> Regards
> Pooja Nahata
> -----Original Message-----
> [mailto: <EMAIL REMOVED> ] On Behalf Of Jonathan Avila
> Sent: Tuesday, October 28, 2014 6:44 AM
> To: WebAIM Discussion List
> Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive
> Disabilities
>> along with your text description, an example password
> I was thinking the same thing. Perhaps though the system should reject the
> example password as not acceptable as people may be inclined to just use
> that.
> Jonathan
> -----Original Message-----
> [mailto: <EMAIL REMOVED> ] On Behalf Of Mallory van
> Achterberg
> Sent: Tuesday, October 28, 2014 5:23 AM
> Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive
> Disabilities
> On Mon, Oct 27, 2014 at 08:54:10PM +0000, <EMAIL REMOVED> wrote:
>> Password Must be 8 - 20 characters. Must include at least one lower-case
>> letter and one number. No symbols may be used. Cannot be one of six
>> previous passwords.
> Might be. In general, people understand examples better than text
> descriptions, so along with your text description, an example password (with
> each point maybe drawn with an arrow to it) would help more people.
> Nielsen has suggested that the hiding of passwords is a UX anti-pattern and
> so you may possible want to consider not using the type="password", if
> that's an option. Typing on a keyboard while keeping a bunch of rules
> straight in your head and then not being able to see what you've typed is
> really hard, even without cognative disability.
> Also, adding a dynamic Javasctipt hint near the input may also help.
> For example, listening for the oninput event, check the string and see if
> it's missing one of the demands, like a special character or something
> uppercase, and suggest it. I've never done this, but I like the idea,
> similar to the dynamic password-strength "meters" some forms use, except
> more specific.
> _mallory
> > > messages to <EMAIL REMOVED>
> > > messages to <EMAIL REMOVED>
> This e-mail and any files transmitted with it are for the sole use of the
> intended recipient(s) and may contain confidential and privileged
> information. If you are not the intended recipient(s), please reply to the
> sender and destroy all copies of the original message. Any unauthorized
> review, use, disclosure, dissemination, forwarding, printing or copying of
> this email, and/or any action taken in reliance on the contents of this
> e-mail is strictly prohibited and may be unlawful. Where permitted by
> applicable law, this e-mail and other e-mail communications sent to and from
> Cognizant e-mail addresses may be monitored.
> > > >

Work hard. Have fun. Make history.