E-mail List Archives
Thread: Password Rules - Impact on Users with Cognitive Disabilities
Number of posts in this thread: 17 (In chronological order)
From: Pooja.Nahata
Date: Mon, Oct 27 2014 2:54PM
Subject: Password Rules - Impact on Users with Cognitive Disabilities
No previous message | Next message →
Hello All,
Does anyone have experience with password rules which might impact the digital experience for users with cognitive disabilities.
For example would the following password rule be too onerous and difficult to remember for users with cognitive disabilities?
Password Must be 8 - 20 characters. Must include at least one lower-case letter and one number. No symbols may be used. Cannot be one of six previous passwords.
Look forward to your thoughts.
Thanks in advance.
Regards
Pooja Nahata
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.
From: Mallory van Achterberg
Date: Tue, Oct 28 2014 3:22AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →
On Mon, Oct 27, 2014 at 08:54:10PM +0000, = EMAIL ADDRESS REMOVED = wrote:
> Password Must be 8 - 20 characters. Must include at least one lower-case letter and one number. No symbols may be used. Cannot be one of six previous passwords.
>
Might be. In general, people understand examples better than text
descriptions, so along with your text description, an example
password (with each point maybe drawn with an arrow to it) would
help more people.
Nielsen has suggested that the hiding of passwords is a UX anti-pattern
and so you may possible want to consider not using the type="password",
if that's an option. Typing on a keyboard while keeping a bunch of
rules straight in your head and then not being able to see what you've
typed is really hard, even without cognative disability.
Also, adding a dynamic Javasctipt hint near the input may also help.
For example, listening for the oninput event, check the string and
see if it's missing one of the demands, like a special character or
something uppercase, and suggest it. I've never done this, but I like
the idea, similar to the dynamic password-strength "meters" some forms
use, except more specific.
_mallory
From: Jonathan Avila
Date: Tue, Oct 28 2014 5:44AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →
> along with your text description, an example password
I was thinking the same thing. Perhaps though the system should reject the example password as not acceptable as people may be inclined to just use that.
Jonathan
From: Pooja.Nahata
Date: Tue, Oct 28 2014 1:47PM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →
Thanks Jonathan and Mallory for your inputs.
One more thought - WCAG 2.0 doesn't have any S.C that relates to how password rules should be set, WCAG guides more on the implementation side.
Regards
Pooja Nahata
From: Birkir R. Gunnarsson
Date: Wed, Oct 29 2014 6:31AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →
I think password hiding is important, so passwords should be hidden by default.
However it would be a great UX improvement to offer users the change
at seeing their passwords as they type then (provide a "see my
password as I type" button or checkbox next to the password field).
I have seen graphics depicting the password strength that are
populated as you type.
You could have bullets such as
"password is at least 8 characters" that could change shape /color/alt
text as the password reaches its desired length
Another for "password must have one non-alphanumeric character"
etc.
You, of course, are unable to test if password is one of users
previous passwords, but if these graphics can help the user realize
what conditions he has met and which are still left.
Also informative error messages can help here.
I have sometimes wanted to have something like this as a user, though
one must take care to make them accessible whilst not overly verbose.
I am not saying one has to do this, and not doing it would be a WCAG
violation. The relevant success criterion is 3.3.2 )labels or
instructions), or if these clues are given using color or graphics
they must meet 1.4.1/1.1.1.
But 3.3.2 S.C. does not require you to go to these lengths to help
users, it is just good user design.
Cheers
-Birkir
On 10/28/14, = EMAIL ADDRESS REMOVED = < = EMAIL ADDRESS REMOVED = > wrote:
> Thanks Jonathan and Mallory for your inputs.
>
> One more thought - WCAG 2.0 doesn't have any S.C that relates to how
> password rules should be set, WCAG guides more on the implementation side.
>
> Regards
> Pooja Nahata
>
>
>
From: Patrick H. Lauke
Date: Wed, Oct 29 2014 7:44AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →
On 29/10/2014 12:31, Birkir R. Gunnarsson wrote:
> I think password hiding is important, so passwords should be hidden by default.
Actually, not quite sure if that's true (anymore).
See for instance Luke Wroblesky's thoughts on this back in 2012
http://www.lukew.com/ff/entry.asp?1653 - and since then, a lot of
sites/apps seem to have gone that way too (showing by default, with
option to hide if needed).
P
--
Patrick H. Lauke
www.splintered.co.uk | https://github.com/patrickhlauke
http://flickr.com/photos/redux/ | http://redux.deviantart.com
twitter: @patrick_h_lauke | skype: patrick_h_lauke
From: Mallory van Achterberg
Date: Wed, Oct 29 2014 8:17AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →
On Wed, Oct 29, 2014 at 01:44:42PM +0000, Patrick H. Lauke wrote:
> On 29/10/2014 12:31, Birkir R. Gunnarsson wrote:
> >I think password hiding is important, so passwords should be hidden by default.
>
> Actually, not quite sure if that's true (anymore).
>
> See for instance Luke Wroblesky's thoughts on this back in 2012
> http://www.lukew.com/ff/entry.asp?1653 - and since then, a lot of
> sites/apps seem to have gone that way too (showing by default, with
> option to hide if needed).
I also hate hearing "star star star star" when testing new services.
The best that gives me is how many characters I've typed actually made
it to the screen, nothing more. (I'm not blind.)
Although, I had forgotten about the options to show, as seen on my
network-manager's network popup, or I believe one of the Internet
Explorers actually adds an icon (which doesn't seem focusable but it
can be clicked with a mouse) of an eye that I think does similar.
I'd be okay with input type="password" if it added a separate control
to hide/show, but I generally hate the default setup of things. More
often than not, I misstyped one of the two (I don't copy and paste
between two password fields because of this fear), and hope I don't make
the same misstype twice. Meanwhile, I'm more likely to have a keylogger
or wifi sniffer at my machine than someone is able to see my screen.
The threats have shifted.
_mallory
From: Greg Gamble
Date: Wed, Oct 29 2014 8:43AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →
" Nielsen has suggested that the hiding of passwords is a UX anti-pattern and so you may possible want to consider not using the type="password", if that's an option. Typing on a keyboard while keeping a bunch of rules straight in your head and then not being able to see what you've typed is really hard, even without cognative disability."
I totally agree that the "password" type should not be used ... it's so ingrained in how we deal with passwords, that the mention of showing a clear text password is almost sacrilegious.
Greg
From: Clark, Michelle - NRCS, Washington, DC
Date: Wed, Oct 29 2014 8:47AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →
It's difficult if one is blind as well as one does not know if there has been an error in typing.
Michelle
From: Jonathan Avila
Date: Wed, Oct 29 2014 9:26AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →
> The best that gives me is how many characters I've typed actually made it to the screen, nothing more. (I'm not blind.)
I've even seen some password fields that obfuscate the number of characters entered by seemingly multiplying/randomizing the number of stars in the field so you might not even be able to tell how many characters were entered.
Jon
From: Jonathan Avila
Date: Wed, Oct 29 2014 9:34AM
Subject: Re: Password Rules - Impact on Users with CognitiveDisabilities
← Previous message | Next message →
> I think password hiding is important, so passwords should be hidden by default.
I agree. On mobile devices and especially in public situations where a person who is blind might have their password stolen it is very important to have the password hidden by default.
Jonathan
From: Greg Gamble
Date: Wed, Oct 29 2014 9:44AM
Subject: Re: Password Rules - Impact on Users withCognitiveDisabilities
← Previous message | Next message →
"
I agree. On mobile devices and especially in public situations where a person who is blind might have their password stolen it is very important to have the password hidden by default.
"
Jonathan ... Not trying to argue, but why? What is your reasoning ???
Do you really think someone will be looking over someone's shoulder to steal a password, without being caught ... even with a blind individual, who is probably more aware of their near surroundings then sited people.
Again, not trying to be argumentative, just looking for your reasoning on it :-)
Greg
From: John Hicks
Date: Wed, Oct 29 2014 9:45AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →
2014-10-29 16:34 GMT+01:00 Jonathan Avila < = EMAIL ADDRESS REMOVED = >:
> > I think password hiding is important, so passwords should be hidden by
> default.
>
> I agree. On mobile devices and especially in public situations where a
> person who is blind might have their password stolen it is very important
> to have the password hidden by default.
>
Assuming that they are using headphones .... otherwise he or she is hiding
nothing anyway.
This is an interesting discussion.
It would be good to know what the statistics were on password renewals.
What percentage of passwords are renewed, and with what frequency ,by mail
authentification. How many passwords do people really remember? Surely
we remember the ones that have sense for us (and these can be composed and
changed regularly).
When the initial question was asked about cognitive disabilities and
passwords,was it more about about long-term retention of many unique
passwords, or simply the complexity of any one set of password rules?
From: Pooja.Nahata
Date: Wed, Oct 29 2014 9:55AM
Subject: Re: Password Rules - Impact on Users with CognitiveDisabilities
← Previous message | Next message →
John,
The original question that I put up was on the aspect of the password rules and its impact on WCAG compliance. What I understand so far from the discussions is that it's the implementation of the password rules that will impact WCAG and not the rules themselves.
Regards
Pooja Nahata
From: Jonathan Avila
Date: Wed, Oct 29 2014 10:17AM
Subject: Re: Password Rules - Impact on Users withCognitiveDisabilities
← Previous message | Next message →
> The original question that I put up was on the aspect of the password rules and its impact on WCAG compliance.
You may want to check out the cognitive and learning disabilities task force at the WAI
http://www.w3.org/WAI/PF/cognitive-a11y-tf/
and there wiki which does have some discussion about passwords -- just search for password.
http://www.w3.org/WAI/PF/cognitive-a11y-tf/wiki/
Jonathan
From: Murray Inman (DZZEX54291)
Date: Wed, Oct 29 2014 12:04PM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →
Just to add in another consideration to the mix, I think it would be
important to recognize the ramifications of changing the password field
type. It could affect those users that regularly use password tools to
create and track their passwords (e.g. LastPass, Dashlane, Keepass, etc).
[image: Rio Salado College Logo]
[image: Rio Facebook] <https://www.facebook.com/RioSaladoCollege> [image:
Rio Twitter] <https://twitter.com/RioSaladoOnline> [image: Rio YouTube]
<http://www.youtube.com/user/riosaladocollege> [image: Rio Google+]
<https://plus.google.com/+riosalado/about>
*Murray Inman*
System Applications Analyst / Information Services
Tel: 480-517-8610 | Fax: 480-377-4817 | = EMAIL ADDRESS REMOVED =
2323 W. 14th Street Tempe, AZ 85281 | www.riosalado.edu
------------------------------
A Maricopa Community College
Strengths: Individualization
<http://classweb.riosalado.edu/murray.inman/StrengthsQuest/> | Ideation
<http://classweb.riosalado.edu/murray.inman/StrengthsQuest/> | Relator
<http://classweb.riosalado.edu/murray.inman/StrengthsQuest/> | Connectedness
<http://classweb.riosalado.edu/murray.inman/StrengthsQuest/> | Input
<http://classweb.riosalado.edu/murray.inman/StrengthsQuest/>
On Wed, Oct 29, 2014 at 9:17 AM, Jonathan Avila < = EMAIL ADDRESS REMOVED = >
wrote:
> > The original question that I put up was on the aspect of the password
> rules and its impact on WCAG compliance.
>
> You may want to check out the cognitive and learning disabilities task
> force at the WAI
> http://www.w3.org/WAI/PF/cognitive-a11y-tf/
>
> and there wiki which does have some discussion about passwords -- just
> search for password.
>
> http://www.w3.org/WAI/PF/cognitive-a11y-tf/wiki/
>
>
> Jonathan
>
>
>
From: Tim Harshbarger
Date: Wed, Oct 29 2014 1:00PM
Subject: Re: Password Rules - Impact on UserswithCognitiveDisabilities
← Previous message | No next message
Actually, that is one method that is used for stealing private data. It is called shoulder surfing. Typically, it is the type of approach that can be employed in crowded environments where it is more difficult to tell if any specific person might be doing it. I also gather that there are times when optical aids (like binoculars) can be used so that the observer can be further away from his or her target.
Thanks!
Tim