WebAIM - Web Accessibility In Mind

E-mail List Archives

Re: [EXTERNAL] How fast do puff and sip device users type?

for

From: Mallory
Date: Jul 4, 2019 1:18AM

Is allowing the user total control over whether the mask is applied or not an option? I've always liked how it's an option in Edge browser (except it's pointer-only).

Then when they've got it on (and also when it's on by default), you could still show the most-recently-typed as John suggested.

My hardest time with password masking is when using Dragon (when attempting to actually dictate them instead of copy-pasting, which not all sites let you paste), followed by typing on my phone because my fingers know my passwords and my brain does not, meaning onscreen keyboards take very long due to brain.

cheers,
_mallory

On Wed, Jul 3, 2019, at 8:23 PM, Birkir R. Gunnarsson wrote:
> Good input
> I mentioned zip and puff devices specifically because I consider them
> the slowest method of input, which is at best an educated guess.
> I did a test using the slowest method availbale to me personally,
> using a touchscreen keyboard to type a 12 character password that
> required all 3 keyboards (characters, numbers and symbols) and barely
> cracked the 90 seconds(I am a pretty awful touch typer).
>
> I am going to recommend 90 seconds as a starting point.
> We've discussed the checkbox solution but our security people still
> want automated masking after a certain period of inactivity,because
> they are security people and must be appeased.
>
> And the solution is server side so we can't listen for oninput events
> (which I would've prefered). ;)
> I think I can't get away with much more than 90 seconds, but I hope
> that will cover most usres in most situations.
> Worst case scenario, the user can choose to re-display the password,
> at least that's my understanding (this is still just a prototype and
> has not been fed thorugh the grinder of other business and technical
> restrictions).
>
> Thanks
> -Birkir
>
>
> On 7/3/19, John Foliot < <EMAIL REMOVED> > wrote:
> > Hi Birkir,
> >
> > You initially posed this question in relationship to content input via sip
> > and puff. While I am unaware of any specific studies around minimal times
> > needed, the problem statement impacts more than just that specific
> > user-group or specific input type (i.e. a user with a mouth-stick will
> > likely need a similar amount of time to react).
> >
> > Some questions: does the masking impact the whole text string, or just the
> > most recent character inputted? In a perfect world, I'd envision a masking
> > where the last letter/character typed is visible, and as soon as you input
> > a second (or next) character, than the previous character is auto-magically
> > masked. However, you also noted that this is a server-side function that is
> > not detecting key-strokes, so...)
> >
> > As for "how long"? I'd (personally, and with no hard metric to base this
> > on) likely suggest roughly 2 seconds per character, so an 8 character
> > string would be roughly 15 or 16 seconds. You noted as well that they can
> > "unmask" the password (during, or only after?), and if possible I'd also
> > provide a check-box function that automatically turns off or "shows" the
> > password in plain text for the duration - I've seen this more than once in
> > the wild. That's a user choice setting that can (would) default to the
> > traditional hidden password string, but still gives the end user the final
> > decision.
> >
> > My $0.05 Cdn.
> >
> > JF
> >
> > On Wed, Jul 3, 2019 at 12:17 PM Birkir R. Gunnarsson <
> > <EMAIL REMOVED> > wrote:
> >
> >> Lol, not when there are other considerations, such as security, and
> >> ths is an online banking platform, our security folks would get me
> >> trownin jail if I proposed that.
> >>
> >>
> >>
> >> On 7/3/19, Mark Magennis < <EMAIL REMOVED> > wrote:
> >> > The exception period under SC2.2.1 is 20 hours 😊
> >> >
> >> > Mark Magennis
> >> > Skillsoft | mobile: +353 87 60 60 162
> >> > Accessibility Specialist
> >> >
> >> >
> >> > -----Original Message-----
> >> > From: WebAIM-Forum < <EMAIL REMOVED> > On Behalf Of
> >> > Birkir R. Gunnarsson
> >> > Sent: 03 July 2019 15:51
> >> > To: WebAIM Discussion List < <EMAIL REMOVED> >
> >> > Subject: [EXTERNAL] [WebAIM] How fast do puff and sip device users type?
> >> >
> >> > We hav a functionality that lets users see the password they are
> >> > typing.
> >> > For security reasons we automatically mask the password again after a
> >> > period of inactivity (the masking is done from the server side so we
> >> > cannotdetect individual keystrokes).
> >> > The question is, how long should we give a user to type the password
> >> > before we auto mask it again (password has to be at least 8 characters
> >> > long and must have at least one uppercase, one lower case and one
> >> > non-alphanumeric character).
> >> >
> >> > Finally, users can request to re display the password if masking is
> >> > activated.
> >> >
> >> > This is definitely a luxury problem compared to most accessibility
> >> > inquiries, but it's always fun to get questions that you don't
> >> > necessarily hav ready answers for.
> >> >
> >> > Cheers
> >> > -B
> >> >
> >> >
> >> > --
> >> > Work hard. Have fun. Make history.
> >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> >
> >>
> >>
> >> --
> >> Work hard. Have fun. Make history.
> >> > >> > >> > >> > >>
> >
> >
> > --
> > *​John Foliot* | Principal Accessibility Strategist | W3C AC Representative
> > Deque Systems - Accessibility for Good
> > deque.com
> > > > > > > > > >
>
>
> --
> Work hard. Have fun. Make history.
> > > > >