Password set/change error reporting

Marcus Watts mdw at umich.edu
Fri Apr 4 17:10:52 EST 2003 

Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
> While I think you're dead-on about error codes versus error text, and I
> know that opinions about password quality vary widely, I just can't
> resist my own $0.02:
> 
> >Personally, I don't like to go into a lot of detail about
> >why passwords weren't acceptable.  Telling users that
> >passwords must be 8 characters or more is (I think) more
> >or less a guarantee that most users will pick passwords
> >that are *exactly* 8 characters.  I'd rather give them
> >a less specific error, like:
> >	Your password was too obvious
> >than something that encourages people to stick right
> >at the limit of the program's pickiness:
> >	Your password must be 8 or more characters and contain
> >	at least one non-alphanumeric character.
> >( which probably guarantees most passwords will be exactly
> >8 with exactly one non-alphanumeric... )
> 
> While I know there's a tendancy to just meet the minimum, judging from
> the responses from our users I get the feeling that a very vague
> message like "too obvious" doesn't give enough information.  I mean,
> what does that mean?  I can see a user keep trying more and more words
> ("It thinks 'ootid' is an obvious password?") that aren't "obvious"
> without realizing that what we really want is a longer password,
> something with some numbers or punctuation, or a non-dictionary word.
> I think being a bit more descriptive like "too short", "not enough
> non-alphanumeric characters", "found in a dictionary" are better.  But
> the nice thing about returning an error string is that I can have it
> my way, Marcus can have it his way, and we can both interoperate :-)

Well, you're right, people do complain about "Too obvious"... :-)

Depending on the application, probably it ought to have some
more generic text that says something along the lines of
"you can make your password less obvious by making it much longer,
making up nonsense words that don't appear in any dictionary in
any language, and adding non-alphanumeric characters."

In one application (outside of the University), I used this error message:
	Cm'on, you can do better than that!
but the program also says:
	You seem to be having trouble selecting a good password.
	May I suggest:  (a randomly generated password)
after several failures.

The tendency I have to fight here at the U is people who want to find
out what the rules are so that they can code them in paper documentation,
application logic, or other places such that we can't change the rules
we actually impose without breaking stuff.

I think in general people who are first-time users pick better
passwords than more experienced people.  Of course, some of them
also forget them better too.

				-Marcus Watts
				UM ITCS Umich Systems Group

More information about the krbdev mailing list