Re: Do you think this is a security risk and if not is it a bad UI decision?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le vendredi 03 mai 2013 à 23:24 -0500, Eric Sandeen a écrit :

> What is the downside to defaulting to a hidden PW, with an opt-in mechanism to
> display the password as it's typed?  The downsides of defaulting to cleartext have
> been noted, and to me are quite self-explanatory.

First, we need to see  why the input default to visible.

The discussion about it have been going since a few years in usability
circles when Jakob Nielsen proposed it :
http://www.nngroup.com/articles/stop-password-masking/
http://uxmovement.com/forms/why-password-masking-can-hurt-your-sign-up-form/

and I think that even Bruce Schneier have gave his opinion in favor of
the proposal :
http://www.schneier.com/blog/archives/2009/06/the_problem_wit_2.html
http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html

I can add to that that I have seen more than once people setting a
password which was not the one they believed due to  :
- keyboard layout ( ie, qwerty vs azerty in France ) 
- small usage difference with Windows way, again on azerty keyboard
( people using capslock on french keyboard to type numbers while they
should use shift, as capslock just type capital letter like À or É and
not 0 or 2, and if you do not understand, just look on the web to
compare how different it is from qwerty-based keyboard )

Or I could also speak of the small non standard keyboard such as macbook
one where ~ or | are not printed and where using the wrong keyboard
could result in wrong characters if you are unaware of the problem.

Or what about the people where the ASCII ( or ASCII related ) chars are
not the norm, and people are forced to use it for the password despite
sometime being less familiar with it ( ie, china, japanese, india ) ?

I think we can agree there is a few problems to solve here, and showing
the password ( I think ) help to solve them ( or at least minimize the
time spent on figuring what is wrong ). 

But the discussion is not about that, even if I think the rational
around the defaults. 
Showing by default will help people who are less familiar, hidden by
default will satisfy people who think that's a security issue.

Hidden by default and showing it on demand is likely to still be a
hindrance to people who may not know they type their password wrong
( because I think most assume that it will work fine, we are not to a
point where people assume by default this will fail ).

So what about hiding on demand, and having it visible by default ? This
way, people who prefer to have it hidden will be happy, and we are still
friendly to non technical users.

( and then the discussion is around the mechanism to hide the password,
between "reduce visual clutter" and "have a explicit checkbox" )

-- 
Michael Scherer


-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux