WebAIM - Web Accessibility In Mind

E-mail List Archives

Thread: Password Rules - Impact on Users with Cognitive Disabilities

for

Number of posts in this thread: 17 (In chronological order)

From: Pooja.Nahata@cognizant.com
Date: Mon, Oct 27 2014 2:54PM
Subject: Password Rules - Impact on Users with Cognitive Disabilities
No previous message | Next message →

Hello All,

Does anyone have experience with password rules which might impact the digital experience for users with cognitive disabilities.

For example would the following password rule be too onerous and difficult to remember for users with cognitive disabilities?

Password Must be 8 - 20 characters. Must include at least one lower-case letter and one number. No symbols may be used. Cannot be one of six previous passwords.

Look forward to your thoughts.

Thanks in advance.

Regards
Pooja Nahata

This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.

From: Mallory van Achterberg
Date: Tue, Oct 28 2014 3:22AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →

On Mon, Oct 27, 2014 at 08:54:10PM +0000, = EMAIL ADDRESS REMOVED = wrote:
> Password Must be 8 - 20 characters. Must include at least one lower-case letter and one number. No symbols may be used. Cannot be one of six previous passwords.
>
Might be. In general, people understand examples better than text
descriptions, so along with your text description, an example
password (with each point maybe drawn with an arrow to it) would
help more people.

Nielsen has suggested that the hiding of passwords is a UX anti-pattern
and so you may possible want to consider not using the type="password",
if that's an option. Typing on a keyboard while keeping a bunch of
rules straight in your head and then not being able to see what you've
typed is really hard, even without cognative disability.

Also, adding a dynamic Javasctipt hint near the input may also help.
For example, listening for the oninput event, check the string and
see if it's missing one of the demands, like a special character or
something uppercase, and suggest it. I've never done this, but I like
the idea, similar to the dynamic password-strength "meters" some forms
use, except more specific.

_mallory

From: Jonathan Avila
Date: Tue, Oct 28 2014 5:44AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →

> along with your text description, an example password

I was thinking the same thing. Perhaps though the system should reject the example password as not acceptable as people may be inclined to just use that.

Jonathan

-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Mallory van Achterberg
Sent: Tuesday, October 28, 2014 5:23 AM
To: = EMAIL ADDRESS REMOVED =
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

On Mon, Oct 27, 2014 at 08:54:10PM +0000, = EMAIL ADDRESS REMOVED = wrote:
> Password Must be 8 - 20 characters. Must include at least one lower-case letter and one number. No symbols may be used. Cannot be one of six previous passwords.
>
Might be. In general, people understand examples better than text descriptions, so along with your text description, an example password (with each point maybe drawn with an arrow to it) would help more people.

Nielsen has suggested that the hiding of passwords is a UX anti-pattern and so you may possible want to consider not using the type="password", if that's an option. Typing on a keyboard while keeping a bunch of rules straight in your head and then not being able to see what you've typed is really hard, even without cognative disability.

Also, adding a dynamic Javasctipt hint near the input may also help.
For example, listening for the oninput event, check the string and see if it's missing one of the demands, like a special character or something uppercase, and suggest it. I've never done this, but I like the idea, similar to the dynamic password-strength "meters" some forms use, except more specific.

_mallory

From: Pooja.Nahata@cognizant.com
Date: Tue, Oct 28 2014 1:47PM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →

Thanks Jonathan and Mallory for your inputs.

One more thought - WCAG 2.0 doesn't have any S.C that relates to how password rules should be set, WCAG guides more on the implementation side.

Regards
Pooja Nahata


-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Jonathan Avila
Sent: Tuesday, October 28, 2014 6:44 AM
To: WebAIM Discussion List
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

> along with your text description, an example password

I was thinking the same thing. Perhaps though the system should reject the example password as not acceptable as people may be inclined to just use that.

Jonathan

-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Mallory van Achterberg
Sent: Tuesday, October 28, 2014 5:23 AM
To: = EMAIL ADDRESS REMOVED =
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

On Mon, Oct 27, 2014 at 08:54:10PM +0000, = EMAIL ADDRESS REMOVED = wrote:
> Password Must be 8 - 20 characters. Must include at least one lower-case letter and one number. No symbols may be used. Cannot be one of six previous passwords.
>
Might be. In general, people understand examples better than text descriptions, so along with your text description, an example password (with each point maybe drawn with an arrow to it) would help more people.

Nielsen has suggested that the hiding of passwords is a UX anti-pattern and so you may possible want to consider not using the type="password", if that's an option. Typing on a keyboard while keeping a bunch of rules straight in your head and then not being able to see what you've typed is really hard, even without cognative disability.

Also, adding a dynamic Javasctipt hint near the input may also help.
For example, listening for the oninput event, check the string and see if it's missing one of the demands, like a special character or something uppercase, and suggest it. I've never done this, but I like the idea, similar to the dynamic password-strength "meters" some forms use, except more specific.

_mallory
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.

From: Birkir R. Gunnarsson
Date: Wed, Oct 29 2014 6:31AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →

I think password hiding is important, so passwords should be hidden by default.
However it would be a great UX improvement to offer users the change
at seeing their passwords as they type then (provide a "see my
password as I type" button or checkbox next to the password field).
I have seen graphics depicting the password strength that are
populated as you type.
You could have bullets such as
"password is at least 8 characters" that could change shape /color/alt
text as the password reaches its desired length
Another for "password must have one non-alphanumeric character"
etc.
You, of course, are unable to test if password is one of users
previous passwords, but if these graphics can help the user realize
what conditions he has met and which are still left.
Also informative error messages can help here.
I have sometimes wanted to have something like this as a user, though
one must take care to make them accessible whilst not overly verbose.
I am not saying one has to do this, and not doing it would be a WCAG
violation. The relevant success criterion is 3.3.2 )labels or
instructions), or if these clues are given using color or graphics
they must meet 1.4.1/1.1.1.
But 3.3.2 S.C. does not require you to go to these lengths to help
users, it is just good user design.

Cheers
-Birkir


On 10/28/14, = EMAIL ADDRESS REMOVED = < = EMAIL ADDRESS REMOVED = > wrote:
> Thanks Jonathan and Mallory for your inputs.
>
> One more thought - WCAG 2.0 doesn't have any S.C that relates to how
> password rules should be set, WCAG guides more on the implementation side.
>
> Regards
> Pooja Nahata
>
>
> -----Original Message-----
> From: = EMAIL ADDRESS REMOVED =
> [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Jonathan Avila
> Sent: Tuesday, October 28, 2014 6:44 AM
> To: WebAIM Discussion List
> Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive
> Disabilities
>
>> along with your text description, an example password
>
> I was thinking the same thing. Perhaps though the system should reject the
> example password as not acceptable as people may be inclined to just use
> that.
>
> Jonathan
>
> -----Original Message-----
> From: = EMAIL ADDRESS REMOVED =
> [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Mallory van
> Achterberg
> Sent: Tuesday, October 28, 2014 5:23 AM
> To: = EMAIL ADDRESS REMOVED =
> Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive
> Disabilities
>
> On Mon, Oct 27, 2014 at 08:54:10PM +0000, = EMAIL ADDRESS REMOVED = wrote:
>> Password Must be 8 - 20 characters. Must include at least one lower-case
>> letter and one number. No symbols may be used. Cannot be one of six
>> previous passwords.
>>
> Might be. In general, people understand examples better than text
> descriptions, so along with your text description, an example password (with
> each point maybe drawn with an arrow to it) would help more people.
>
> Nielsen has suggested that the hiding of passwords is a UX anti-pattern and
> so you may possible want to consider not using the type="password", if
> that's an option. Typing on a keyboard while keeping a bunch of rules
> straight in your head and then not being able to see what you've typed is
> really hard, even without cognative disability.
>
> Also, adding a dynamic Javasctipt hint near the input may also help.
> For example, listening for the oninput event, check the string and see if
> it's missing one of the demands, like a special character or something
> uppercase, and suggest it. I've never done this, but I like the idea,
> similar to the dynamic password-strength "meters" some forms use, except
> more specific.
>
> _mallory
> > > messages to = EMAIL ADDRESS REMOVED =
> > > messages to = EMAIL ADDRESS REMOVED =
> This e-mail and any files transmitted with it are for the sole use of the
> intended recipient(s) and may contain confidential and privileged
> information. If you are not the intended recipient(s), please reply to the
> sender and destroy all copies of the original message. Any unauthorized
> review, use, disclosure, dissemination, forwarding, printing or copying of
> this email, and/or any action taken in reliance on the contents of this
> e-mail is strictly prohibited and may be unlawful. Where permitted by
> applicable law, this e-mail and other e-mail communications sent to and from
> Cognizant e-mail addresses may be monitored.
> > > >


--
Work hard. Have fun. Make history.

From: Patrick H. Lauke
Date: Wed, Oct 29 2014 7:44AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →

On 29/10/2014 12:31, Birkir R. Gunnarsson wrote:
> I think password hiding is important, so passwords should be hidden by default.

Actually, not quite sure if that's true (anymore).

See for instance Luke Wroblesky's thoughts on this back in 2012
http://www.lukew.com/ff/entry.asp?1653 - and since then, a lot of
sites/apps seem to have gone that way too (showing by default, with
option to hide if needed).

P
--
Patrick H. Lauke

www.splintered.co.uk | https://github.com/patrickhlauke
http://flickr.com/photos/redux/ | http://redux.deviantart.com
twitter: @patrick_h_lauke | skype: patrick_h_lauke

From: Mallory van Achterberg
Date: Wed, Oct 29 2014 8:17AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →

On Wed, Oct 29, 2014 at 01:44:42PM +0000, Patrick H. Lauke wrote:
> On 29/10/2014 12:31, Birkir R. Gunnarsson wrote:
> >I think password hiding is important, so passwords should be hidden by default.
>
> Actually, not quite sure if that's true (anymore).
>
> See for instance Luke Wroblesky's thoughts on this back in 2012
> http://www.lukew.com/ff/entry.asp?1653 - and since then, a lot of
> sites/apps seem to have gone that way too (showing by default, with
> option to hide if needed).

I also hate hearing "star star star star" when testing new services.
The best that gives me is how many characters I've typed actually made
it to the screen, nothing more. (I'm not blind.)

Although, I had forgotten about the options to show, as seen on my
network-manager's network popup, or I believe one of the Internet
Explorers actually adds an icon (which doesn't seem focusable but it
can be clicked with a mouse) of an eye that I think does similar.

I'd be okay with input type="password" if it added a separate control
to hide/show, but I generally hate the default setup of things. More
often than not, I misstyped one of the two (I don't copy and paste
between two password fields because of this fear), and hope I don't make
the same misstype twice. Meanwhile, I'm more likely to have a keylogger
or wifi sniffer at my machine than someone is able to see my screen.
The threats have shifted.

_mallory

From: Greg Gamble
Date: Wed, Oct 29 2014 8:43AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →

" Nielsen has suggested that the hiding of passwords is a UX anti-pattern and so you may possible want to consider not using the type="password", if that's an option. Typing on a keyboard while keeping a bunch of rules straight in your head and then not being able to see what you've typed is really hard, even without cognative disability."

I totally agree that the "password" type should not be used ... it's so ingrained in how we deal with passwords, that the mention of showing a clear text password is almost sacrilegious.

Greg

-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Mallory van Achterberg
Sent: Tuesday, October 28, 2014 2:23 AM
To: = EMAIL ADDRESS REMOVED =
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

On Mon, Oct 27, 2014 at 08:54:10PM +0000, = EMAIL ADDRESS REMOVED = wrote:
> Password Must be 8 - 20 characters. Must include at least one lower-case letter and one number. No symbols may be used. Cannot be one of six previous passwords.
>
Might be. In general, people understand examples better than text descriptions, so along with your text description, an example password (with each point maybe drawn with an arrow to it) would help more people.

Nielsen has suggested that the hiding of passwords is a UX anti-pattern and so you may possible want to consider not using the type="password", if that's an option. Typing on a keyboard while keeping a bunch of rules straight in your head and then not being able to see what you've typed is really hard, even without cognative disability.

Also, adding a dynamic Javasctipt hint near the input may also help.
For example, listening for the oninput event, check the string and see if it's missing one of the demands, like a special character or something uppercase, and suggest it. I've never done this, but I like the idea, similar to the dynamic password-strength "meters" some forms use, except more specific.

_mallory

From: Clark, Michelle - NRCS, Washington, DC
Date: Wed, Oct 29 2014 8:47AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →

It's difficult if one is blind as well as one does not know if there has been an error in typing.

Michelle


-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Greg Gamble
Sent: Wednesday, October 29, 2014 10:44 AM
To: WebAIM Discussion List
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

" Nielsen has suggested that the hiding of passwords is a UX anti-pattern and so you may possible want to consider not using the type="password", if that's an option. Typing on a keyboard while keeping a bunch of rules straight in your head and then not being able to see what you've typed is really hard, even without cognative disability."

I totally agree that the "password" type should not be used ... it's so ingrained in how we deal with passwords, that the mention of showing a clear text password is almost sacrilegious.

Greg

-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Mallory van Achterberg
Sent: Tuesday, October 28, 2014 2:23 AM
To: = EMAIL ADDRESS REMOVED =
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

On Mon, Oct 27, 2014 at 08:54:10PM +0000, = EMAIL ADDRESS REMOVED = wrote:
> Password Must be 8 - 20 characters. Must include at least one lower-case letter and one number. No symbols may be used. Cannot be one of six previous passwords.
>
Might be. In general, people understand examples better than text descriptions, so along with your text description, an example password (with each point maybe drawn with an arrow to it) would help more people.

Nielsen has suggested that the hiding of passwords is a UX anti-pattern and so you may possible want to consider not using the type="password", if that's an option. Typing on a keyboard while keeping a bunch of rules straight in your head and then not being able to see what you've typed is really hard, even without cognative disability.

Also, adding a dynamic Javasctipt hint near the input may also help.
For example, listening for the oninput event, check the string and see if it's missing one of the demands, like a special character or something uppercase, and suggest it. I've never done this, but I like the idea, similar to the dynamic password-strength "meters" some forms use, except more specific.

_mallory
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.

From: Jonathan Avila
Date: Wed, Oct 29 2014 9:26AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →

> The best that gives me is how many characters I've typed actually made it to the screen, nothing more. (I'm not blind.)

I've even seen some password fields that obfuscate the number of characters entered by seemingly multiplying/randomizing the number of stars in the field so you might not even be able to tell how many characters were entered.

Jon

-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Mallory van Achterberg
Sent: Wednesday, October 29, 2014 10:18 AM
To: WebAIM Discussion List
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

On Wed, Oct 29, 2014 at 01:44:42PM +0000, Patrick H. Lauke wrote:
> On 29/10/2014 12:31, Birkir R. Gunnarsson wrote:
> >I think password hiding is important, so passwords should be hidden by default.
>
> Actually, not quite sure if that's true (anymore).
>
> See for instance Luke Wroblesky's thoughts on this back in 2012
> http://www.lukew.com/ff/entry.asp?1653 - and since then, a lot of
> sites/apps seem to have gone that way too (showing by default, with
> option to hide if needed).

I also hate hearing "star star star star" when testing new services.
The best that gives me is how many characters I've typed actually made it to the screen, nothing more. (I'm not blind.)

Although, I had forgotten about the options to show, as seen on my network-manager's network popup, or I believe one of the Internet Explorers actually adds an icon (which doesn't seem focusable but it can be clicked with a mouse) of an eye that I think does similar.

I'd be okay with input type="password" if it added a separate control to hide/show, but I generally hate the default setup of things. More often than not, I misstyped one of the two (I don't copy and paste between two password fields because of this fear), and hope I don't make the same misstype twice. Meanwhile, I'm more likely to have a keylogger or wifi sniffer at my machine than someone is able to see my screen.
The threats have shifted.

_mallory

From: Jonathan Avila
Date: Wed, Oct 29 2014 9:34AM
Subject: Re: Password Rules - Impact on Users with CognitiveDisabilities
← Previous message | Next message →

> I think password hiding is important, so passwords should be hidden by default.

I agree. On mobile devices and especially in public situations where a person who is blind might have their password stolen it is very important to have the password hidden by default.

Jonathan

-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Patrick H. Lauke
Sent: Wednesday, October 29, 2014 9:45 AM
To: = EMAIL ADDRESS REMOVED =
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

On 29/10/2014 12:31, Birkir R. Gunnarsson wrote:
> I think password hiding is important, so passwords should be hidden by default.

Actually, not quite sure if that's true (anymore).

See for instance Luke Wroblesky's thoughts on this back in 2012
http://www.lukew.com/ff/entry.asp?1653 - and since then, a lot of sites/apps seem to have gone that way too (showing by default, with option to hide if needed).

P
--
Patrick H. Lauke

www.splintered.co.uk | https://github.com/patrickhlauke http://flickr.com/photos/redux/ | http://redux.deviantart.com
twitter: @patrick_h_lauke | skype: patrick_h_lauke

From: Greg Gamble
Date: Wed, Oct 29 2014 9:44AM
Subject: Re: Password Rules - Impact on Users withCognitiveDisabilities
← Previous message | Next message →

"
I agree. On mobile devices and especially in public situations where a person who is blind might have their password stolen it is very important to have the password hidden by default.
"

Jonathan ... Not trying to argue, but why? What is your reasoning ???

Do you really think someone will be looking over someone's shoulder to steal a password, without being caught ... even with a blind individual, who is probably more aware of their near surroundings then sited people.

Again, not trying to be argumentative, just looking for your reasoning on it :-)

Greg


-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Jonathan Avila
Sent: Wednesday, October 29, 2014 8:34 AM
To: WebAIM Discussion List
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

> I think password hiding is important, so passwords should be hidden by default.

I agree. On mobile devices and especially in public situations where a person who is blind might have their password stolen it is very important to have the password hidden by default.

Jonathan

-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Patrick H. Lauke
Sent: Wednesday, October 29, 2014 9:45 AM
To: = EMAIL ADDRESS REMOVED =
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

On 29/10/2014 12:31, Birkir R. Gunnarsson wrote:
> I think password hiding is important, so passwords should be hidden by default.

Actually, not quite sure if that's true (anymore).

See for instance Luke Wroblesky's thoughts on this back in 2012
http://www.lukew.com/ff/entry.asp?1653 - and since then, a lot of sites/apps seem to have gone that way too (showing by default, with option to hide if needed).

P
--
Patrick H. Lauke

www.splintered.co.uk | https://github.com/patrickhlauke http://flickr.com/photos/redux/ | http://redux.deviantart.com
twitter: @patrick_h_lauke | skype: patrick_h_lauke

From: John Hicks
Date: Wed, Oct 29 2014 9:45AM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →

2014-10-29 16:34 GMT+01:00 Jonathan Avila < = EMAIL ADDRESS REMOVED = >:

> > I think password hiding is important, so passwords should be hidden by
> default.
>
> I agree. On mobile devices and especially in public situations where a
> person who is blind might have their password stolen it is very important
> to have the password hidden by default.
>

Assuming that they are using headphones .... otherwise he or she is hiding
nothing anyway.

This is an interesting discussion.

It would be good to know what the statistics were on password renewals.
What percentage of passwords are renewed, and with what frequency ,by mail
authentification. How many passwords do people really remember? Surely
we remember the ones that have sense for us (and these can be composed and
changed regularly).

When the initial question was asked about cognitive disabilities and
passwords,was it more about about long-term retention of many unique
passwords, or simply the complexity of any one set of password rules?

From: Pooja.Nahata@cognizant.com
Date: Wed, Oct 29 2014 9:55AM
Subject: Re: Password Rules - Impact on Users with CognitiveDisabilities
← Previous message | Next message →

John,

The original question that I put up was on the aspect of the password rules and its impact on WCAG compliance. What I understand so far from the discussions is that it's the implementation of the password rules that will impact WCAG and not the rules themselves.

Regards
Pooja Nahata



-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of John Hicks
Sent: Wednesday, October 29, 2014 10:46 AM
To: WebAIM Discussion List
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

2014-10-29 16:34 GMT+01:00 Jonathan Avila < = EMAIL ADDRESS REMOVED = >:

> > I think password hiding is important, so passwords should be hidden
> > by
> default.
>
> I agree. On mobile devices and especially in public situations where
> a person who is blind might have their password stolen it is very
> important to have the password hidden by default.
>

Assuming that they are using headphones .... otherwise he or she is hiding nothing anyway.

This is an interesting discussion.

It would be good to know what the statistics were on password renewals.
What percentage of passwords are renewed, and with what frequency ,by mail
authentification. How many passwords do people really remember? Surely
we remember the ones that have sense for us (and these can be composed and changed regularly).

When the initial question was asked about cognitive disabilities and passwords,was it more about about long-term retention of many unique passwords, or simply the complexity of any one set of password rules?
This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.

From: Jonathan Avila
Date: Wed, Oct 29 2014 10:17AM
Subject: Re: Password Rules - Impact on Users withCognitiveDisabilities
← Previous message | Next message →

> The original question that I put up was on the aspect of the password rules and its impact on WCAG compliance.

You may want to check out the cognitive and learning disabilities task force at the WAI
http://www.w3.org/WAI/PF/cognitive-a11y-tf/

and there wiki which does have some discussion about passwords -- just search for password.

http://www.w3.org/WAI/PF/cognitive-a11y-tf/wiki/


Jonathan


-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of = EMAIL ADDRESS REMOVED =
Sent: Wednesday, October 29, 2014 11:55 AM
To: = EMAIL ADDRESS REMOVED =
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

John,

The original question that I put up was on the aspect of the password rules and its impact on WCAG compliance. What I understand so far from the discussions is that it's the implementation of the password rules that will impact WCAG and not the rules themselves.

Regards
Pooja Nahata



-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of John Hicks
Sent: Wednesday, October 29, 2014 10:46 AM
To: WebAIM Discussion List
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

2014-10-29 16:34 GMT+01:00 Jonathan Avila < = EMAIL ADDRESS REMOVED = >:

> > I think password hiding is important, so passwords should be hidden
> > by
> default.
>
> I agree. On mobile devices and especially in public situations where
> a person who is blind might have their password stolen it is very
> important to have the password hidden by default.
>

Assuming that they are using headphones .... otherwise he or she is hiding nothing anyway.

This is an interesting discussion.

It would be good to know what the statistics were on password renewals.
What percentage of passwords are renewed, and with what frequency ,by mail
authentification. How many passwords do people really remember? Surely
we remember the ones that have sense for us (and these can be composed and changed regularly).

When the initial question was asked about cognitive disabilities and passwords,was it more about about long-term retention of many unique passwords, or simply the complexity of any one set of password rules?

From: Murray Inman (DZZEX54291)
Date: Wed, Oct 29 2014 12:04PM
Subject: Re: Password Rules - Impact on Users with Cognitive Disabilities
← Previous message | Next message →

Just to add in another consideration to the mix, I think it would be
important to recognize the ramifications of changing the password field
type. It could affect those users that regularly use password tools to
create and track their passwords (e.g. LastPass, Dashlane, Keepass, etc).

[image: Rio Salado College Logo]
[image: Rio Facebook] <https://www.facebook.com/RioSaladoCollege> [image:
Rio Twitter] <https://twitter.com/RioSaladoOnline> [image: Rio YouTube]
<http://www.youtube.com/user/riosaladocollege>; [image: Rio Google+]
<https://plus.google.com/+riosalado/about>
*Murray Inman*
System Applications Analyst / Information Services
Tel: 480-517-8610 | Fax: 480-377-4817 | = EMAIL ADDRESS REMOVED =
2323 W. 14th Street Tempe, AZ 85281 | www.riosalado.edu
------------------------------
A Maricopa Community College
Strengths: Individualization
<http://classweb.riosalado.edu/murray.inman/StrengthsQuest/>; | Ideation
<http://classweb.riosalado.edu/murray.inman/StrengthsQuest/>; | Relator
<http://classweb.riosalado.edu/murray.inman/StrengthsQuest/>; | Connectedness
<http://classweb.riosalado.edu/murray.inman/StrengthsQuest/>; | Input
<http://classweb.riosalado.edu/murray.inman/StrengthsQuest/>;

On Wed, Oct 29, 2014 at 9:17 AM, Jonathan Avila < = EMAIL ADDRESS REMOVED = >
wrote:

> > The original question that I put up was on the aspect of the password
> rules and its impact on WCAG compliance.
>
> You may want to check out the cognitive and learning disabilities task
> force at the WAI
> http://www.w3.org/WAI/PF/cognitive-a11y-tf/
>
> and there wiki which does have some discussion about passwords -- just
> search for password.
>
> http://www.w3.org/WAI/PF/cognitive-a11y-tf/wiki/
>
>
> Jonathan
>
>
> -----Original Message-----
> From: = EMAIL ADDRESS REMOVED = [mailto:
> = EMAIL ADDRESS REMOVED = ] On Behalf Of
> = EMAIL ADDRESS REMOVED =
> Sent: Wednesday, October 29, 2014 11:55 AM
> To: = EMAIL ADDRESS REMOVED =
> Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive
> Disabilities
>
> John,
>
> The original question that I put up was on the aspect of the password
> rules and its impact on WCAG compliance. What I understand so far from the
> discussions is that it's the implementation of the password rules that will
> impact WCAG and not the rules themselves.
>
> Regards
> Pooja Nahata
>
>
>
> -----Original Message-----
> From: = EMAIL ADDRESS REMOVED = [mailto:
> = EMAIL ADDRESS REMOVED = ] On Behalf Of John Hicks
> Sent: Wednesday, October 29, 2014 10:46 AM
> To: WebAIM Discussion List
> Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive
> Disabilities
>
> 2014-10-29 16:34 GMT+01:00 Jonathan Avila < = EMAIL ADDRESS REMOVED = >:
>
> > > I think password hiding is important, so passwords should be hidden
> > > by
> > default.
> >
> > I agree. On mobile devices and especially in public situations where
> > a person who is blind might have their password stolen it is very
> > important to have the password hidden by default.
> >
>
> Assuming that they are using headphones .... otherwise he or she is
> hiding nothing anyway.
>
> This is an interesting discussion.
>
> It would be good to know what the statistics were on password renewals.
> What percentage of passwords are renewed, and with what frequency ,by mail
> authentification. How many passwords do people really remember? Surely
> we remember the ones that have sense for us (and these can be composed and
> changed regularly).
>
> When the initial question was asked about cognitive disabilities and
> passwords,was it more about about long-term retention of many unique
> passwords, or simply the complexity of any one set of password rules?
> > > messages to = EMAIL ADDRESS REMOVED = This e-mail and any files
> transmitted with it are for the sole use of the intended recipient(s) and
> may contain confidential and privileged information. If you are not the
> intended recipient(s), please reply to the sender and destroy all copies of
> the original message. Any unauthorized review, use, disclosure,
> dissemination, forwarding, printing or copying of this email, and/or any
> action taken in reliance on the contents of this e-mail is strictly
> prohibited and may be unlawful. Where permitted by applicable law, this
> e-mail and other e-mail communications sent to and from Cognizant e-mail
> addresses may be monitored.
> > > messages to = EMAIL ADDRESS REMOVED =
> > > >

From: Tim Harshbarger
Date: Wed, Oct 29 2014 1:00PM
Subject: Re: Password Rules - Impact on UserswithCognitiveDisabilities
← Previous message | No next message

Actually, that is one method that is used for stealing private data. It is called shoulder surfing. Typically, it is the type of approach that can be employed in crowded environments where it is more difficult to tell if any specific person might be doing it. I also gather that there are times when optical aids (like binoculars) can be used so that the observer can be further away from his or her target.

Thanks!
Tim

-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Greg Gamble
Sent: Wednesday, October 29, 2014 10:45 AM
To: WebAIM Discussion List
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

"
I agree. On mobile devices and especially in public situations where a person who is blind might have their password stolen it is very important to have the password hidden by default.
"

Jonathan ... Not trying to argue, but why? What is your reasoning ???

Do you really think someone will be looking over someone's shoulder to steal a password, without being caught ... even with a blind individual, who is probably more aware of their near surroundings then sited people.

Again, not trying to be argumentative, just looking for your reasoning on it :-)

Greg


-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Jonathan Avila
Sent: Wednesday, October 29, 2014 8:34 AM
To: WebAIM Discussion List
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

> I think password hiding is important, so passwords should be hidden by default.

I agree. On mobile devices and especially in public situations where a person who is blind might have their password stolen it is very important to have the password hidden by default.

Jonathan

-----Original Message-----
From: = EMAIL ADDRESS REMOVED = [mailto: = EMAIL ADDRESS REMOVED = ] On Behalf Of Patrick H. Lauke
Sent: Wednesday, October 29, 2014 9:45 AM
To: = EMAIL ADDRESS REMOVED =
Subject: Re: [WebAIM] Password Rules - Impact on Users with Cognitive Disabilities

On 29/10/2014 12:31, Birkir R. Gunnarsson wrote:
> I think password hiding is important, so passwords should be hidden by default.

Actually, not quite sure if that's true (anymore).

See for instance Luke Wroblesky's thoughts on this back in 2012
http://www.lukew.com/ff/entry.asp?1653 - and since then, a lot of sites/apps seem to have gone that way too (showing by default, with option to hide if needed).

P
--
Patrick H. Lauke

www.splintered.co.uk | https://github.com/patrickhlauke http://flickr.com/photos/redux/ | http://redux.deviantart.com
twitter: @patrick_h_lauke | skype: patrick_h_lauke