E-mail List Archives

Search E-mail List Archives for

Number of posts in this thread: 7 (In chronological order)

From: Birkir R. Gunnarsson
Date: Wed, Jul 03 2019 8:51AM
Subject: How fast do puff and sip device users type?
No previous message | Next message →

We hav a functionality that lets users see the password they are typing.
For security reasons we automatically mask the password again after a
period of inactivity (the masking is done from the server side so we
cannotdetect individual keystrokes).
The question is, how long should we give a user to type the password
before we auto mask it again (password has to be at least 8 characters
long and must have at least one uppercase, one lower case and one
non-alphanumeric character).

Finally, users can request to re display the password if masking is activated.

This is definitely a luxury problem compared to most accessibility
inquiries, but it's always fun to get questions that you don't
necessarily hav ready answers for.

Cheers
-B


--
Work hard. Have fun. Make history.

From: Mark Magennis
Date: Wed, Jul 03 2019 9:22AM
Subject: Re: [EXTERNAL] How fast do puff and sip device users type?
← Previous message | Next message →

The exception period under SC2.2.1 is 20 hours 😊

Mark Magennis
Skillsoft | mobile: +353 87 60 60 162
Accessibility Specialist


-----Original Message-----
From: WebAIM-Forum < = EMAIL ADDRESS REMOVED = > On Behalf Of Birkir R. Gunnarsson
Sent: 03 July 2019 15:51
To: WebAIM Discussion List < = EMAIL ADDRESS REMOVED = >
Subject: [EXTERNAL] [WebAIM] How fast do puff and sip device users type?

We hav a functionality that lets users see the password they are typing.
For security reasons we automatically mask the password again after a
period of inactivity (the masking is done from the server side so we
cannotdetect individual keystrokes).
The question is, how long should we give a user to type the password
before we auto mask it again (password has to be at least 8 characters
long and must have at least one uppercase, one lower case and one
non-alphanumeric character).

Finally, users can request to re display the password if masking is activated.

This is definitely a luxury problem compared to most accessibility
inquiries, but it's always fun to get questions that you don't
necessarily hav ready answers for.

Cheers
-B


--
Work hard. Have fun. Make history.

From: Birkir R. Gunnarsson
Date: Wed, Jul 03 2019 11:16AM
Subject: Re: [EXTERNAL] How fast do puff and sip device users type?
← Previous message | Next message →

Lol, not when there are other considerations, such as security, and
ths is an online banking platform, our security folks would get me
trownin jail if I proposed that.



On 7/3/19, Mark Magennis < = EMAIL ADDRESS REMOVED = > wrote:
> The exception period under SC2.2.1 is 20 hours 😊
>
> Mark Magennis
> Skillsoft | mobile: +353 87 60 60 162
> Accessibility Specialist
>
>
> -----Original Message-----
> From: WebAIM-Forum < = EMAIL ADDRESS REMOVED = > On Behalf Of
> Birkir R. Gunnarsson
> Sent: 03 July 2019 15:51
> To: WebAIM Discussion List < = EMAIL ADDRESS REMOVED = >
> Subject: [EXTERNAL] [WebAIM] How fast do puff and sip device users type?
>
> We hav a functionality that lets users see the password they are typing.
> For security reasons we automatically mask the password again after a
> period of inactivity (the masking is done from the server side so we
> cannotdetect individual keystrokes).
> The question is, how long should we give a user to type the password
> before we auto mask it again (password has to be at least 8 characters
> long and must have at least one uppercase, one lower case and one
> non-alphanumeric character).
>
> Finally, users can request to re display the password if masking is
> activated.
>
> This is definitely a luxury problem compared to most accessibility
> inquiries, but it's always fun to get questions that you don't
> necessarily hav ready answers for.
>
> Cheers
> -B
>
>
> --
> Work hard. Have fun. Make history.
> > > > > > > > >


--
Work hard. Have fun. Make history.

From: John Foliot
Date: Wed, Jul 03 2019 11:41AM
Subject: Re: [EXTERNAL] How fast do puff and sip device users type?
← Previous message | Next message →

Hi Birkir,

You initially posed this question in relationship to content input via sip
and puff. While I am unaware of any specific studies around minimal times
needed, the problem statement impacts more than just that specific
user-group or specific input type (i.e. a user with a mouth-stick will
likely need a similar amount of time to react).

Some questions: does the masking impact the whole text string, or just the
most recent character inputted? In a perfect world, I'd envision a masking
where the last letter/character typed is visible, and as soon as you input
a second (or next) character, than the previous character is auto-magically
masked. However, you also noted that this is a server-side function that is
not detecting key-strokes, so...)

As for "how long"? I'd (personally, and with no hard metric to base this
on) likely suggest roughly 2 seconds per character, so an 8 character
string would be roughly 15 or 16 seconds. You noted as well that they can
"unmask" the password (during, or only after?), and if possible I'd also
provide a check-box function that automatically turns off or "shows" the
password in plain text for the duration - I've seen this more than once in
the wild. That's a user choice setting that can (would) default to the
traditional hidden password string, but still gives the end user the final
decision.

My $0.05 Cdn.

JF

On Wed, Jul 3, 2019 at 12:17 PM Birkir R. Gunnarsson <
= EMAIL ADDRESS REMOVED = > wrote:

> Lol, not when there are other considerations, such as security, and
> ths is an online banking platform, our security folks would get me
> trownin jail if I proposed that.
>
>
>
> On 7/3/19, Mark Magennis < = EMAIL ADDRESS REMOVED = > wrote:
> > The exception period under SC2.2.1 is 20 hours 😊
> >
> > Mark Magennis
> > Skillsoft | mobile: +353 87 60 60 162
> > Accessibility Specialist
> >
> >
> > -----Original Message-----
> > From: WebAIM-Forum < = EMAIL ADDRESS REMOVED = > On Behalf Of
> > Birkir R. Gunnarsson
> > Sent: 03 July 2019 15:51
> > To: WebAIM Discussion List < = EMAIL ADDRESS REMOVED = >
> > Subject: [EXTERNAL] [WebAIM] How fast do puff and sip device users type?
> >
> > We hav a functionality that lets users see the password they are typing.
> > For security reasons we automatically mask the password again after a
> > period of inactivity (the masking is done from the server side so we
> > cannotdetect individual keystrokes).
> > The question is, how long should we give a user to type the password
> > before we auto mask it again (password has to be at least 8 characters
> > long and must have at least one uppercase, one lower case and one
> > non-alphanumeric character).
> >
> > Finally, users can request to re display the password if masking is
> > activated.
> >
> > This is definitely a luxury problem compared to most accessibility
> > inquiries, but it's always fun to get questions that you don't
> > necessarily hav ready answers for.
> >
> > Cheers
> > -B
> >
> >
> > --
> > Work hard. Have fun. Make history.
> > > > > > > > > > > > > > > > > >
>
>
> --
> Work hard. Have fun. Make history.
> > > > >


--
*​John Foliot* | Principal Accessibility Strategist | W3C AC Representative
Deque Systems - Accessibility for Good
deque.com

From: Birkir R. Gunnarsson
Date: Wed, Jul 03 2019 12:23PM
Subject: Re: [EXTERNAL] How fast do puff and sip device users type?
← Previous message | Next message →

Good input
I mentioned zip and puff devices specifically because I consider them
the slowest method of input, which is at best an educated guess.
I did a test using the slowest method availbale to me personally,
using a touchscreen keyboard to type a 12 character password that
required all 3 keyboards (characters, numbers and symbols) and barely
cracked the 90 seconds(I am a pretty awful touch typer).

I am going to recommend 90 seconds as a starting point.
We've discussed the checkbox solution but our security people still
want automated masking after a certain period of inactivity,because
they are security people and must be appeased.

And the solution is server side so we can't listen for oninput events
(which I would've prefered). ;)
I think I can't get away with much more than 90 seconds, but I hope
that will cover most usres in most situations.
Worst case scenario, the user can choose to re-display the password,
at least that's my understanding (this is still just a prototype and
has not been fed thorugh the grinder of other business and technical
restrictions).

Thanks
-Birkir


On 7/3/19, John Foliot < = EMAIL ADDRESS REMOVED = > wrote:
> Hi Birkir,
>
> You initially posed this question in relationship to content input via sip
> and puff. While I am unaware of any specific studies around minimal times
> needed, the problem statement impacts more than just that specific
> user-group or specific input type (i.e. a user with a mouth-stick will
> likely need a similar amount of time to react).
>
> Some questions: does the masking impact the whole text string, or just the
> most recent character inputted? In a perfect world, I'd envision a masking
> where the last letter/character typed is visible, and as soon as you input
> a second (or next) character, than the previous character is auto-magically
> masked. However, you also noted that this is a server-side function that is
> not detecting key-strokes, so...)
>
> As for "how long"? I'd (personally, and with no hard metric to base this
> on) likely suggest roughly 2 seconds per character, so an 8 character
> string would be roughly 15 or 16 seconds. You noted as well that they can
> "unmask" the password (during, or only after?), and if possible I'd also
> provide a check-box function that automatically turns off or "shows" the
> password in plain text for the duration - I've seen this more than once in
> the wild. That's a user choice setting that can (would) default to the
> traditional hidden password string, but still gives the end user the final
> decision.
>
> My $0.05 Cdn.
>
> JF
>
> On Wed, Jul 3, 2019 at 12:17 PM Birkir R. Gunnarsson <
> = EMAIL ADDRESS REMOVED = > wrote:
>
>> Lol, not when there are other considerations, such as security, and
>> ths is an online banking platform, our security folks would get me
>> trownin jail if I proposed that.
>>
>>
>>
>> On 7/3/19, Mark Magennis < = EMAIL ADDRESS REMOVED = > wrote:
>> > The exception period under SC2.2.1 is 20 hours 😊
>> >
>> > Mark Magennis
>> > Skillsoft | mobile: +353 87 60 60 162
>> > Accessibility Specialist
>> >
>> >
>> > -----Original Message-----
>> > From: WebAIM-Forum < = EMAIL ADDRESS REMOVED = > On Behalf Of
>> > Birkir R. Gunnarsson
>> > Sent: 03 July 2019 15:51
>> > To: WebAIM Discussion List < = EMAIL ADDRESS REMOVED = >
>> > Subject: [EXTERNAL] [WebAIM] How fast do puff and sip device users type?
>> >
>> > We hav a functionality that lets users see the password they are
>> > typing.
>> > For security reasons we automatically mask the password again after a
>> > period of inactivity (the masking is done from the server side so we
>> > cannotdetect individual keystrokes).
>> > The question is, how long should we give a user to type the password
>> > before we auto mask it again (password has to be at least 8 characters
>> > long and must have at least one uppercase, one lower case and one
>> > non-alphanumeric character).
>> >
>> > Finally, users can request to re display the password if masking is
>> > activated.
>> >
>> > This is definitely a luxury problem compared to most accessibility
>> > inquiries, but it's always fun to get questions that you don't
>> > necessarily hav ready answers for.
>> >
>> > Cheers
>> > -B
>> >
>> >
>> > --
>> > Work hard. Have fun. Make history.
>> > >> > >> > >> > >> > >> > >> > >> > >> >
>>
>>
>> --
>> Work hard. Have fun. Make history.
>> >> >> >> >>
>
>
> --
> *​John Foliot* | Principal Accessibility Strategist | W3C AC Representative
> Deque Systems - Accessibility for Good
> deque.com
> > > > >


--
Work hard. Have fun. Make history.

From: Mallory
Date: Thu, Jul 04 2019 1:18AM
Subject: Re: [EXTERNAL] How fast do puff and sip device users type?
← Previous message | Next message →

Is allowing the user total control over whether the mask is applied or not an option? I've always liked how it's an option in Edge browser (except it's pointer-only).

Then when they've got it on (and also when it's on by default), you could still show the most-recently-typed as John suggested.

My hardest time with password masking is when using Dragon (when attempting to actually dictate them instead of copy-pasting, which not all sites let you paste), followed by typing on my phone because my fingers know my passwords and my brain does not, meaning onscreen keyboards take very long due to brain.

cheers,
_mallory

On Wed, Jul 3, 2019, at 8:23 PM, Birkir R. Gunnarsson wrote:
> Good input
> I mentioned zip and puff devices specifically because I consider them
> the slowest method of input, which is at best an educated guess.
> I did a test using the slowest method availbale to me personally,
> using a touchscreen keyboard to type a 12 character password that
> required all 3 keyboards (characters, numbers and symbols) and barely
> cracked the 90 seconds(I am a pretty awful touch typer).
>
> I am going to recommend 90 seconds as a starting point.
> We've discussed the checkbox solution but our security people still
> want automated masking after a certain period of inactivity,because
> they are security people and must be appeased.
>
> And the solution is server side so we can't listen for oninput events
> (which I would've prefered). ;)
> I think I can't get away with much more than 90 seconds, but I hope
> that will cover most usres in most situations.
> Worst case scenario, the user can choose to re-display the password,
> at least that's my understanding (this is still just a prototype and
> has not been fed thorugh the grinder of other business and technical
> restrictions).
>
> Thanks
> -Birkir
>
>
> On 7/3/19, John Foliot < = EMAIL ADDRESS REMOVED = > wrote:
> > Hi Birkir,
> >
> > You initially posed this question in relationship to content input via sip
> > and puff. While I am unaware of any specific studies around minimal times
> > needed, the problem statement impacts more than just that specific
> > user-group or specific input type (i.e. a user with a mouth-stick will
> > likely need a similar amount of time to react).
> >
> > Some questions: does the masking impact the whole text string, or just the
> > most recent character inputted? In a perfect world, I'd envision a masking
> > where the last letter/character typed is visible, and as soon as you input
> > a second (or next) character, than the previous character is auto-magically
> > masked. However, you also noted that this is a server-side function that is
> > not detecting key-strokes, so...)
> >
> > As for "how long"? I'd (personally, and with no hard metric to base this
> > on) likely suggest roughly 2 seconds per character, so an 8 character
> > string would be roughly 15 or 16 seconds. You noted as well that they can
> > "unmask" the password (during, or only after?), and if possible I'd also
> > provide a check-box function that automatically turns off or "shows" the
> > password in plain text for the duration - I've seen this more than once in
> > the wild. That's a user choice setting that can (would) default to the
> > traditional hidden password string, but still gives the end user the final
> > decision.
> >
> > My $0.05 Cdn.
> >
> > JF
> >
> > On Wed, Jul 3, 2019 at 12:17 PM Birkir R. Gunnarsson <
> > = EMAIL ADDRESS REMOVED = > wrote:
> >
> >> Lol, not when there are other considerations, such as security, and
> >> ths is an online banking platform, our security folks would get me
> >> trownin jail if I proposed that.
> >>
> >>
> >>
> >> On 7/3/19, Mark Magennis < = EMAIL ADDRESS REMOVED = > wrote:
> >> > The exception period under SC2.2.1 is 20 hours 😊
> >> >
> >> > Mark Magennis
> >> > Skillsoft | mobile: +353 87 60 60 162
> >> > Accessibility Specialist
> >> >
> >> >
> >> > -----Original Message-----
> >> > From: WebAIM-Forum < = EMAIL ADDRESS REMOVED = > On Behalf Of
> >> > Birkir R. Gunnarsson
> >> > Sent: 03 July 2019 15:51
> >> > To: WebAIM Discussion List < = EMAIL ADDRESS REMOVED = >
> >> > Subject: [EXTERNAL] [WebAIM] How fast do puff and sip device users type?
> >> >
> >> > We hav a functionality that lets users see the password they are
> >> > typing.
> >> > For security reasons we automatically mask the password again after a
> >> > period of inactivity (the masking is done from the server side so we
> >> > cannotdetect individual keystrokes).
> >> > The question is, how long should we give a user to type the password
> >> > before we auto mask it again (password has to be at least 8 characters
> >> > long and must have at least one uppercase, one lower case and one
> >> > non-alphanumeric character).
> >> >
> >> > Finally, users can request to re display the password if masking is
> >> > activated.
> >> >
> >> > This is definitely a luxury problem compared to most accessibility
> >> > inquiries, but it's always fun to get questions that you don't
> >> > necessarily hav ready answers for.
> >> >
> >> > Cheers
> >> > -B
> >> >
> >> >
> >> > --
> >> > Work hard. Have fun. Make history.
> >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> >
> >>
> >>
> >> --
> >> Work hard. Have fun. Make history.
> >> > >> > >> > >> > >>
> >
> >
> > --
> > *​John Foliot* | Principal Accessibility Strategist | W3C AC Representative
> > Deque Systems - Accessibility for Good
> > deque.com
> > > > > > > > > >
>
>
> --
> Work hard. Have fun. Make history.
> > > > >

From: Jonathan Avila
Date: Tue, Jul 09 2019 7:53PM
Subject: Re: [EXTERNAL] How fast do puff and sip device users type?
← Previous message | No next message

On a related note - If a masked field like SSN could not be unmasked by the user could that be a failure of WCAG SC 3.3.4 error prevention if there was no confirmation of identity? With password you can re-enter which i assume would pass.

Jonathan

Sent from my iPhone

> On Jul 3, 2019, at 1:42 PM, John Foliot < = EMAIL ADDRESS REMOVED = > wrote:
>
> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> Hi Birkir,
>
> You initially posed this question in relationship to content input via sip
> and puff. While I am unaware of any specific studies around minimal times
> needed, the problem statement impacts more than just that specific
> user-group or specific input type (i.e. a user with a mouth-stick will
> likely need a similar amount of time to react).
>
> Some questions: does the masking impact the whole text string, or just the
> most recent character inputted? In a perfect world, I'd envision a masking
> where the last letter/character typed is visible, and as soon as you input
> a second (or next) character, than the previous character is auto-magically
> masked. However, you also noted that this is a server-side function that is
> not detecting key-strokes, so...)
>
> As for "how long"? I'd (personally, and with no hard metric to base this
> on) likely suggest roughly 2 seconds per character, so an 8 character
> string would be roughly 15 or 16 seconds. You noted as well that they can
> "unmask" the password (during, or only after?), and if possible I'd also
> provide a check-box function that automatically turns off or "shows" the
> password in plain text for the duration - I've seen this more than once in
> the wild. That's a user choice setting that can (would) default to the
> traditional hidden password string, but still gives the end user the final
> decision.
>
> My $0.05 Cdn.
>
> JF
>
> On Wed, Jul 3, 2019 at 12:17 PM Birkir R. Gunnarsson <
> = EMAIL ADDRESS REMOVED = > wrote:
>
>> Lol, not when there are other considerations, such as security, and
>> ths is an online banking platform, our security folks would get me
>> trownin jail if I proposed that.
>>
>>
>>
>>> On 7/3/19, Mark Magennis < = EMAIL ADDRESS REMOVED = > wrote:
>>> The exception period under SC2.2.1 is 20 hours 😊
>>>
>>> Mark Magennis
>>> Skillsoft | mobile: +353 87 60 60 162
>>> Accessibility Specialist
>>>
>>>
>>> -----Original Message-----
>>> From: WebAIM-Forum < = EMAIL ADDRESS REMOVED = > On Behalf Of
>>> Birkir R. Gunnarsson
>>> Sent: 03 July 2019 15:51
>>> To: WebAIM Discussion List < = EMAIL ADDRESS REMOVED = >
>>> Subject: [EXTERNAL] [WebAIM] How fast do puff and sip device users type?
>>>
>>> We hav a functionality that lets users see the password they are typing.
>>> For security reasons we automatically mask the password again after a
>>> period of inactivity (the masking is done from the server side so we
>>> cannotdetect individual keystrokes).
>>> The question is, how long should we give a user to type the password
>>> before we auto mask it again (password has to be at least 8 characters
>>> long and must have at least one uppercase, one lower case and one
>>> non-alphanumeric character).
>>>
>>> Finally, users can request to re display the password if masking is
>>> activated.
>>>
>>> This is definitely a luxury problem compared to most accessibility
>>> inquiries, but it's always fun to get questions that you don't
>>> necessarily hav ready answers for.
>>>
>>> Cheers
>>> -B
>>>
>>>
>>> --
>>> Work hard. Have fun. Make history.
>>> >>> >>> >>> >>> >>> >>> >>> >>>
>>
>>
>> --
>> Work hard. Have fun. Make history.
>> >> >> >> >>
>
>
> --
> *​John Foliot* | Principal Accessibility Strategist | W3C AC Representative
> Deque Systems - Accessibility for Good
> deque.com
> > > >