Single-Field Password Set/Reset: Threat or Menace?


This post is dedicated to everyone who ever had trouble logging into a website (myself included, way too many times) or whoever had their account hacked because their password was too simple (way too many friends and acquaintances, way too many times).

This is for us.

Dear website designers and programmers:

Every modern website adds new features. Google added Maps, Books, Street View. Yahoo! added its latest e-mail layout. Twitter added hashtags and now is thinking about revoking them, but has added line breaks. And, most importantly, I have the choice whether to use them or not.

Then there’s the We-Have-a-Great-New-Feature-and-You-Must-Use-It Syndrome. Think Facebook Timeline. Well, that doesn’t cost me any time and I got used to it. And it doesn’t slow me down.

(By the way, Yahoo! initially took away Yahoo! classic e-mail, but after not too long a delay, restored it, if I recall correctly. Thank you for listening to your customers, Yahoo!)

Now there’s a new We-Have-a-Great-New-Feature-and-You-Must-Use-It Syndrome feature.

Your wonderful new feature is giving me a negative view of your website. Negative enough to write a 3300-word blog post complaining – occasionally ranting – about it. What would your advertisers think of that?

Day by day your numbers are growing, User Interface (UI) designers following the siren, zombie call of this new feature.

I mean you, force-me-to-use-a-single-field-when-setting-or-resetting-my-password-UI website. Yes, you. You’ve turned simple inconvenience into dread.

Warning: This is a scattered, discursive essay. Much like my experience of dealing with passwords on your website.

My first draft was about 500 words. But, as I thought about the complexities of what you are asking me to do with regard to the care and feeding of my password, the article grew and it grew, much like the burden you’ve placed on me.

Please stick with it. I’ve done my best to make sure it will be worth it. And I’ve actually proofread it.

And, hey, if your response is TLDR (too long, didn’t read), feel free to skip to Here’s the ideal situation and hope your customers – isn’t it time we retired “users”? – aren’t saying Too Hard, Didn’t Log In.

🔗

The latest feature that seems to be spreading like a virus is that when I change my password, you only let me type it once. No more typing my password a second time to make sure I have no typos or thinkos.

You’ve obviously confused me with someone who can type.

This one isn’t get-used-to-able. Because I’m never going to be a better typist than I am now. Every time I log into a site there’s a 50 percent chance I’m going to have to type my password more than once to log on. Three times, maybe. Definitely not tops, especially if I accidentally left caps lock on.

If that typing involves a password reset, forget it.

If my password was one of the top 500 passwords and I used the same password on every website, single-field set/reset would be a great time saver. Actually, I use long, gibberish passwords which are different for each website and don’t write them down and happen to be a poor typist.

Begin password digression

You may be wondering why my passwords are so hard to reproduce, even a few seconds later.

Okay, I’ll share this: I use a mnemonic ruleset that involves both language and key positions to choose my passwords. I change the overarching rules every time I have to do a password reset due to a security breach – and yes this means I have to change my password on every site I use regularly as well as on whatever other site I eventually return to in order to have one consistent ruleset – but the rules let me come up with a different password for each site that I can reproduce by following my current ruleset. I actually have fun coming up with interesting rules.

That is, unless your site has a restriction such as no special characters or maximum 16 characters (you wouldn’t be storing the passwords, would you?) or some other thing that my rules randomly violate.

Requiring adding something such as two capital letters or two special characters is no problem, as I can add that to my overall ruleset. The problem is that when you don’t allow special characters – and space was a special character last time I checked – in a password or have a length limit below, say, 32 characters, something I would never even reach – I’m not that much of a masochist – that means I can’t use the password that is naturally generated from my rules on your site and have to remember that your site is an exception and put it on a list of exception sites and what the exception is.

But the point is, when I come up with a new ruleset I have to retrain my brain to it and that means at first I make a lot of mistakes. That’s over and above my poor typing skills.

And why are any sites still sending passwords over http as opposed to https? Okay, for those sites I don’t use my ruleset and use a much simpler ruleset, because I’m not going to trust such sites. And of course I use a more complex ruleset for any site that is extra-sensitive.

And at this edit (yes, this was edited over a week), what makes you think I can remember twenty different facts about my account, let alone one or two, in order for you to let me get back my access. Of course I’m giving you a fake response for that secret question about my high school because that’s not a secret, you can Bing it, but damn if I’m going to remember two years from now how I answered that question. No, I don’t remember the last time I logged in or sent an e-mail using my account on your website, if ever.

The harder you make it for the bad guys, the harder you make it for me. And single-field password set or reset pushes it over the edge.

Let’s edit “have fun” to “had fun.”

End password digression

This new feature is pure hell. Too bad there’s no option not to use it.

I call that lazy. Not the folks typing the passwords; I mean the programmers. Because adding an option to choose to confirm password choice would be reasonably easy.

Okay, by now you’re thinking I’m anal-retentive or paranoid, and perhaps I am. That doesn’t mean the hackers aren’t out to get you. Yahoo! now describes a secure password as being at least 20 characters and not containing any real words, the Wikipedia article on password strength runs over 6,000 words as I type this post, and the XKCD cartoon on password strength six panels, says “correcthorsebatterystaple” should take 550 years to crack – although the Passfault password checker says it would take less than two years.

I just tested an 18-character password I use that’s made up of the first characters of words in a sentence that has special characters (replacing a word such as $ for “dollars”), numbers (where I use the digits), and both upper and lower case letters, and Passfault says it will take nearly 2 billion centuries to crack. Which means in 5 years it will take 2 years with a massive botnet. And it’s a memorable sentence. But I’d still need a different sentence for every website I use, because websites can be hacked. And that’s not simply changing “Y” in your sentence for Yahoo! to “G” for Google to “F” for Facebook. After all, hackers aren’t restricted to a single website and can theoretically compare passwords with matching e-mail addresses, using that to break your password rule.

Begin computer science digression

There are, alas, websites that store your password either unencrypted or in re-constitutible form. If a website can e-mail you the password that you originally entered as is, it’s a very bad website. I know of one e-commerce site that can still do that two years after I wrote them about it. I have two words for such sites: salted hash. Rehashing the hashed hash. That’s 4 words. Actually one more word: SHA512. Oops, that’s by the NSA. RIPEMD-320 anyone? But not MD5. MD5 is a bad algorithm. I don’t know why anyone is still using MD5 for anything.

Actually, I don’t know why sites only use one salt. Why not use 100 salts – heck, why not 1,000 salts? – and apply three of them – I originally typed “theme” – for each user based on moduli of: (1) their user ID, (2) the date and time their account was created, and (3) their user name?

Oh, yeah, and if you’re going to hang on to all my old passwords so I can never use them again, you’ll need a fourth salt and modulus, the date and time you’re creating the password so that if you get hacked, the hackers can’t look at my password history and figure out how I create passwords because each past password was stored with a different salt.

End computer science digression

But my point is, now I’m being penalized for trying to be safe and for my bad typing skills. I really need to be able to enter my password twice when trying to change it. Once is not enough.

A common response is that I can have a password reset link e-mailed to me. Um, does your website encrypt that e-mail so nobody else can intercept it? I thought not. And if it did encrypt it, would I be able to read it? Not sure.

But even ignoring that security hole, requesting a reset e-mail is a pain. First, you may have to solve one of those annoying CAPTCHAs that some hacker can have someone else solve in exchange for viewing porn that will place a virus on their computer. Second, you have to wait for the e-mail to show up, which might not be immediately, especially if it winds up in your spam folder or your employer’s e-mail server is backed up. Then you have to open the e-mail, click the link or copy and paste it into the browser. Then create a new password using whatever arcane rules you’ve set.

Oh, yeah, and I get dozens of e-mails a day. You’re adding to my mailbox clutter.

You’re also making me do two extra application switches to get my work done.

Here’s the process with two password fields when I make a typo or thinko. Let’s count the clicks:

  1. Click in the other password field, so I can re-type it.
  2. Click submit again

Here’s the process with one password field when I make a typo or thinko. Let’s count the clicks now:

  1. Click the send-me-a-reset-link button.
  2. Click in the e-mail address field so I can type my e-mail address.
  3. Click to set the focus to my e-mail program (or alt-tab or command-tab if I can’t see them both at once).
  4. Possible extra click if my inbox isn’t the folder showing.
  5. Extra click on my home computer to get mail so I don’t have to wait for the e-mail program to poll the server. (And more clicks if it hasn’t arrived yet, but I’ll just count this one
  6. Double-click the e-mail to open it.
  7. Copy the reset URL.
  8. Click to set the focus to my browser (or alt-tab or command-tab if I can’t see them both at once).
  9. Click in the location field.
  10. Paste the link.
  11. Click to submit the link.
  12. And the next time I go back to my e-mail, click to delete the e-mail.

(Yes, I could save a click by deleting the e-mail immediately after doing the copy, at risk of having to dive into my trash folder if I accidentally didn’t copy when I thought I did – which happens to me way too often. All of which adds a few more clicks to the process.)

That’s not counting any extra clicks I wind up doing because I don’t have muscle memory for this process. Plus, if you required a CAPTCHA to get the reset e-mail, one click for each CAPTCHA try – um, I’m batting .650 on those.

(I just talked to some else who says they have a major problem doing those, and that sometimes they just give up.)

If it takes me four times to get the password right – not unusual for me – that’s 40 extra clicks, plus four extra typing my e-mail (okay, I lied there, I have a keyboard shortcut to type my e-mail address), plus possibly six CAPTCHAs (I told you I’m not good at CAPTCHAs), all so you can have a pristine UI.

Some of you send text messages with 6- or 7-digit codes. I don’t always turn my phone on, or might have a different phone with me than what I recorded for my account. If you’re going to text, allow me to add a second or third phone number to my account in case I don’t have the first one on me. And it’s still an interruption. Oh, and I have trouble distinguishing between a 0 and an 8 on my phone’s screen because it dots the 0 to distinguish it from the capital letter O. Oh, and I used to transpose digits a lot. I don’t do that so much any more, but I can’t be the only one with that problem. These all slow down the process.

A five-minute process has become a half-hour one. Maybe twenty minutes, but it feels like an hour. If I want to keep it natural.

Or else it turns it into an unnatural process that I can still mess up.

When are you going to give that time back to me? Oh, well, it will probably suck out any desire I had to spend more time on your website so it probably evens out. I’ll probably be reminded of it every time I have to visit you. Whoops, it just became had to visit, because why would I go through this torture voluntarily? Oh, eventually I’ll forget. Until the next Heartbleed forces me to reset all my passwords.

Begin task-switching digression

Oh, yeah, and humans are notoriously bad task switchers. It wastes time getting back into the workflow I was actually coming to your website for. Hmm, ironic that I used a hyperlink on a post that argues against task switching. Oh, well, Ctrl-click will open it in a background tab or you can add it to your Safari reading list (#1 browser in San Francisco).

End task-switching digression

Maybe you enjoy doing these things but it adds time to the process. No doubt, having a frustrating password change process increases the likelihood of typos.

Aside from the mailing the reset link idea, message boards are mixed on the issue.

Many people considering having to enter the password twice a pain, and it clutters the interface. The answer is simple. Let the customer decide if they want one field or two.

Some sites show the password. That’s fine if you’re a skilled touch typist typing letters and are in a private space, not so great if you create passwords by making patterns on the keyboard and don’t care what the letters are, are using the computer at the public library, or look at the keyboard when you’re typing a password, like me (because I don’t trust my touch-typing skills when typing a password) – I didn’t notice the password was showing until I was done; good thing I was alone at the time – but sometimes accidentally hit two keys instead of one – my keyboard only takes a light touch and I’m clumsy – or set off auto-repeat because you held a key down too long.

On the day I write this paragraph, I introduced a colleague to a new website which had two fields for new passwords. It took her three or four tries to get the password right. So I’m not the only one. And she has no more spare time at work than I do.

Okay, yes, we could type more carefully. But that’s making us fight our natural impulses. Yes, I just changed – I initially typed “change” – my password successfully at a single-field reset website. But I was panicked all the while, fearing one false move on my part would lead to a temporary lockout. That’s not a good association for me to have with your website.

Oh, yeah, I had to put my iTunes on pause so I could concentrate, and the at-work equivalent would be waiting until my cube neighbor gets off the phone. More having to do something different from what I would normally do.

Here’s the ideal situation:

Give me a checkbox in my preferences, default un-checked if you must, “Show a password confirmation field when entering a new password.” If I don’t check it, show me one password field. If I do check it, show me two fields and check that they’re the same before you let me submit the page.

Too much trouble? Database too full for a new field?

The sad fact is, you can satisfy both the one-field and two-field camps using JavaScript so it runs locally in the browser.

Show one new password field, but add a link or button reading “Check for typos?”

The folks who are comfortable in their ability to type “catdogpanda123” (1 day to crack) can enter a password and click submit and have the system accept their password immediately, no muss, no fuss.

For those of us that want assurance, clicking the “Check for typos?” link would disable submit and show a second new password field. Use JavaScript to test whether the two fields are the same and show a “Passwords don’t match” or “Passwords match” message as appropriate. Once the passwords match, re-activate the submit button.

Of course, also replace the “Check for typos?” link with a “Don’t check for typos” that will hide the second field and re-enable the submit button. For those one-fielders who were curious.

Actually, when the customer is done, submit their one field vs. two choice and store it as their preference.

See, you’ve satisfied everyone and let us interact with your website the way we want.

Because that’s the cure for the It’s-a-Great-Feature-and-You-Must-Use-It Syndrome. Don’t assume you’re new feature is so great that everyone wants to use it. After the first couple bad experiences with this solo field I now actually get angry when I encounter this feature.

Sure I could just keep resetting my password via e-mail every time I need to use the site. Most times, it will only add a couple of minutes to each login. What happens that one time when the e-mail system isn’t accepting mail from outside for a few hours or so (happens now and then) and I really need to get into your site right away?

But the main reason I get angry is that you are forcing me to do things your way. It’s not enough that you have your own idiosyncratic rules for password entry that I have to remember. It’s that you’re making me change the way I do things. You don’t pay me to do that. (Not even if you have a free site. I’m watching your ads, right?)

It’s a computer. It’s supposed to make things easier. Don’t force me to interrupt my workflow.

You don’t want my reaction to your website to be panic and dread, do you? Do your advertisers? Does your accounting department?

You’re assuming skills on my part that I don’t have. I know JavaScript, CSS, jQuery, and PHP to varying levels of expertise. I sanitize my input. I’m told I file good bug reports – you can decide for yourself on my open-source issues. I’ve tweaked Postscript and SVG files in Notepad to change drawings. I’ve tweaked PDFs in Notepad to change italics to normal type. I’ve overridden your website’s CSS to make that annoying gray text black.

But I can’t type a complex password both reliably and comfortably to save my life.

You’ve changed a fun game into a chore.

Give me a choice.

Please.

Advertisements

Tags: , , , , , , , , ,

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: