Password Strength Visualization - Mobile-l - lists.wikimedia.org

List overview All Threads
Download

Password Strength Visualization

Wikipedia App User Agents

Lifehacker tip about using mobile...

Yuvi Panda

15 Apr 2014 15 Apr '14

11:52 a.m.

I ran into an Android implementation of http://mattt.github.io/Chroma-Hash/ lately, and was wondering if experimenting with that would be a good idea for the Android app. Thoughts? -- Yuvi Panda T http://yuvi.in/blog

Reply

Show replies by date

Steven Walling

15 Apr 15 Apr

6:03 p.m.

On Tue, Apr 15, 2014 at 4:52 AM, Yuvi Panda <yuvipanda(a)gmail.com> wrote:

I ran into an Android implementation of http://mattt.github.io/Chroma-Hash/ lately, and was wondering if experimenting with that would be a good idea for the Android app. Thoughts?

A password strength meter would be awesome, but I think this one is a little weird. Typically,[1] these use a much simpler color scheme, potentially combined with words. An even simpler implementation that would be good for core as well as apps would be clientside validation of the password length. Soon we're going to be upping the limit to six bytes/characters, so a simple "too short" message might be good to get implemented. 1. http://ui-patterns.com/patterns/passwordstrengthmeter -- Steven Walling, Product Manager https://wikimediafoundation.org/

Reply

May Tee-Galloway

6:22 p.m.

I gotta agree it's abit weird. When I typed my password and colors happened, I waited for something more to happen. I wasn't sure what the colors meant until I read the document. What Steven pointed out is still the best way to indicate password strength. But I still think this Chroma hash guy is up to something. mm On Tue, Apr 15, 2014 at 11:03 AM, Steven Walling <swalling(a)wikimedia.org>wrote;wrote:

On Tue, Apr 15, 2014 at 4:52 AM, Yuvi Panda <yuvipanda(a)gmail.com> wrote:

I ran into an Android implementation of http://mattt.github.io/Chroma-Hash/ lately, and was wondering if experimenting with that would be a good idea for the Android app. Thoughts?

A password strength meter would be awesome, but I think this one is a little weird. Typically,[1] these use a much simpler color scheme, potentially combined with words. An even simpler implementation that would be good for core as well as apps would be clientside validation of the password length. Soon we're going to be upping the limit to six bytes/characters, so a simple "too short" message might be good to get implemented. 1. http://ui-patterns.com/patterns/passwordstrengthmeter -- Steven Walling, Product Manager https://wikimediafoundation.org/ _______________________________________________ Mobile-l mailing list Mobile-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mobile-l

Reply

Pau Giner

6:27 p.m.

My concern with the concept of "password strength" approaches is that it often encourage passwords that are harder to remember (e.g. forcing the user to use caps underscores, etc.). I think it would be better to encourage the use of passphrases instead: An interesting article about making usable and secure passwords<http://www.baekdal.com/insights/password-security-usability>… that password based on sentences with 3 or more words such as *"this is fun"* are ten times more secure than cryptic combinations of numbers and letters such as *"J4fS<2" *(there is also a xkcd version of the same idea<http://xkcd.com/936/> ). The shared approach tries to visualise both how strong and whether you typed the correct password (by displaying always the same colours given a specific password). The last part was something similar to what the old Lotus Notes did by displaying different icons of keys next to the password field. That could be slightly useful to anticipate errors but have an impact of initial confusion until the user understands what it is about. Pau On Tue, Apr 15, 2014 at 8:03 PM, Steven Walling <swalling(a)wikimedia.org>wrote;wrote:

On Tue, Apr 15, 2014 at 4:52 AM, Yuvi Panda <yuvipanda(a)gmail.com> wrote:

I ran into an Android implementation of http://mattt.github.io/Chroma-Hash/ lately, and was wondering if experimenting with that would be a good idea for the Android app. Thoughts?

A password strength meter would be awesome, but I think this one is a little weird. Typically,[1] these use a much simpler color scheme, potentially combined with words. An even simpler implementation that would be good for core as well as apps would be clientside validation of the password length. Soon we're going to be upping the limit to six bytes/characters, so a simple "too short" message might be good to get implemented. 1. http://ui-patterns.com/patterns/passwordstrengthmeter -- Steven Walling, Product Manager https://wikimediafoundation.org/ _______________________________________________ Mobile-l mailing list Mobile-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mobile-l

-- Pau Giner Interaction Designer Wikimedia Foundation

Reply

Liangent

6:59 p.m.

Purely in reply to Pau's comic: Unfortunately I saw too many password fields with a limit of maximum length. Many are 16 chars and some are even 8 chars. I don't really know their point: passwords are going to be hashed. Why does their original length matter much? On Apr 16, 2014 2:27 AM, "Pau Giner" <pginer(a)wikimedia.org> wrote:

My concern with the concept of "password strength" approaches is that it often encourage passwords that are harder to remember (e.g. forcing the user to use caps underscores, etc.). I think it would be better to encourage the use of passphrases instead: An interesting article about making usable and secure passwords<http://www.baekdal.com/insights/password-security-usability>… that password based on sentences with 3 or more words such as *"this is fun"* are ten times more secure than cryptic combinations of numbers and letters such as *"J4fS<2" *(there is also a xkcd version of the same idea <http://xkcd.com/936/>). The shared approach tries to visualise both how strong and whether you typed the correct password (by displaying always the same colours given a specific password). The last part was something similar to what the old Lotus Notes did by displaying different icons of keys next to the password field. That could be slightly useful to anticipate errors but have an impact of initial confusion until the user understands what it is about. Pau On Tue, Apr 15, 2014 at 8:03 PM, Steven Walling <swalling(a)wikimedia.org>wrote;wrote:

On Tue, Apr 15, 2014 at 4:52 AM, Yuvi Panda <yuvipanda(a)gmail.com> wrote:

I ran into an Android implementation of http://mattt.github.io/Chroma-Hash/ lately, and was wondering if experimenting with that would be a good idea for the Android app. Thoughts?

A password strength meter would be awesome, but I think this one is a little weird. Typically,[1] these use a much simpler color scheme, potentially combined with words. An even simpler implementation that would be good for core as well as apps would be clientside validation of the password length. Soon we're going to be upping the limit to six bytes/characters, so a simple "too short" message might be good to get implemented. 1. http://ui-patterns.com/patterns/passwordstrengthmeter -- Steven Walling, Product Manager https://wikimediafoundation.org/ _______________________________________________ Mobile-l mailing list Mobile-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mobile-l

-- Pau Giner Interaction Designer Wikimedia Foundation _______________________________________________ Mobile-l mailing list Mobile-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mobile-l

Reply

James Alexander

7:02 p.m.

On Tue, Apr 15, 2014 at 11:59 AM, Liangent <liangent(a)gmail.com> wrote:

Purely in reply to Pau's comic: Unfortunately I saw too many password fields with a limit of maximum length. Many are 16 chars and some are even 8 chars. I don't really know their point: passwords are going to be hashed. Why does their original length matter much?

Sadly from what I can tell a large portion of them don't actually hash it....or use it in it's raw form somewhere else in their system. James Alexander Legal and Community Advocacy Wikimedia Foundation (415) 839-6885 x6716 @jamesofur

Reply

Greg Grossmeier

7:10 p.m.

<quote name="Liangent" date="2014-04-16" time="02:59:22 +0800">

Purely in reply to Pau's comic: Unfortunately I saw too many password fields with a limit of maximum length. Many are 16 chars and some are even 8 chars. I don't really know their point: passwords are going to be hashed. Why does their original length matter much?

You *assume* the password is going to be hashed.... -- | Greg Grossmeier GPG: B2FA 27B1 F7EB D327 6B8E | | identi.ca: @greg A18D 1138 8E47 FAC8 1C7D |

Reply

Željko Filipin

16 Apr 16 Apr

9:29 a.m.

On Tue, Apr 15, 2014 at 8:27 PM, Pau Giner <pginer(a)wikimedia.org> wrote:

I think it would be better to encourage the use of passphrases instead: An interesting article about making usable and secure passwords<http://www.baekdal.com/insights/password-security-usability>… that password based on sentences with 3 or more words such as *"this is fun"* are ten times more secure than cryptic combinations of numbers and letters such as *"J4fS<2" *(there is also a xkcd version of the same idea <http://xkcd.com/936/>).

An interesting approach is password haystack[1].

From the web site:

"Which of the following two passwords is stronger, more secure, and more difficult to crack? D0g..................... PrXyc.N(n4k77#L!eVdAfp9 You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!" Željko -- 1: https://www.grc.com/haystack.htm

Reply

3689

days inactive

3690

days old

mobile-l@lists.wikimedia.org

Manage subscription

7 comments

8 participants

tags (0)

participants (8)

Greg Grossmeier
James Alexander
Liangent
May Tee-Galloway
Pau Giner
Steven Walling
Yuvi Panda
Željko Filipin