Wednesday, July 29, 2009

Some thoughts on password input visualization

I've been seeing a few of these things floating around. Supposedly, they make it easier to figure out if you typed your password correctly just by glancing at a hashed graphic representation of the password.

My first thought is of the eating-your-own-dogfood type: how do you type your password? Do you actually look at the screen as you're typing? Do you click the button or press enter to submit? If the latter, do you pause before pressing enter? Can you easily override your muscle memory and not press enter if, say, you feel you see one less * than what you think you should see? Well, maybe you're a geeky freak. Ask your friends the same questions.

Another thing that I'm wondering is whether the whole thing is redundant. Why do you need to visualize your password? Did you make a mistake? Were you not aware that you may have made a mistake?

And one last thing. What was the last ad you saw about? Chances are you didn't even see it. What makes a graphic feedback icon any different? It's very easy to miss things that you aren't expecting. For example, I often miss a "check user ID availability" button when signing up for a free game simply because it's just a bit off of where I'd expect an interactive piece to be next.

I don't know about anyone else, but I don't really care about hash strength and all that crap people throw around to make themselves look smart in HN or whatever. If people really wanted to get your password, they would. There are so many non-cryptographic ways to do it, it's not even funny.

What matters for an UI experiment is that it plays well with users' behaviours: I type my passwords looking at the keyboard and press enter by muscle memory. I subconsciously dismiss things as visual noise when they are not absolutely required to the task at hand.

So far, the password visualization experiments I've seen don't address any of those behaviours.

No comments:

Post a Comment