SIGIA-L Mail Archives: SIGIA-L: Password hint summary (very lon
SIGIA-L: Password hint summary (very long)
From: Joe Sokohl (joe.sokohl_at_iconmedialab.de)
Date: Thu Sep 20 2001 - 13:29:49 EDT
Hi all,
Earlier, I asked for advice on providing hints on retrieving a forgotten
password. This mail provides responses from both this list and another
(apologies if I re-quote someone).
ORIGINAL TOPIC
The topic is password hints when a user forgets their password. Send your
responsed to me and I will summarize responses as well as provide what my
impressions are. Note: I apologize if you have seen this cross-posted on any
other list.
I know this has been discussed last year and the year before at length. My
search now is for any results of testing that indicates whether people
successfully use password hints (or
"security-identifiers-disguised-as-helpful-hints").
I have a client who wants to have five different questions. Users can answer
one of the five. The system will check their response later (and the
response must be letter-perfect). The site is multi-European lingual.
Here are the client's questions:
What is your--
favorite novel
favorite drink
lucky number
favorite food
favorite film
My concerns:
1. Are five too many? not enough? just right? (in the number of questions
the user can choose from).
2. Are these questions proper--that is, from a usability standpoint, are the
potential answers to these questions memorable enough for users to react to,
once they have lost their original password? Some people have indicated that
the permanence of such answers is problematic: people change their favorites
often enough not to remember what their current favorite <insert> is.
3. Additional data as to whether people use these hints successfully? Any
comparisons with free-text question and answer interfaces?
RESPONSES
------------------------------
From: Ziya Oz <ziyaoz_at_earthlink.net>
I belong to a class people who hate/don't care about "favorites." If you
ask me any of these questions over the course of a month, say, you'll
probably get different answers to each question over time. I mean, do you
really have *single* favorite food? Or a film?
So if I'm forced to play what seems to me to be a silly game, it'll be
like remembering a 10-digit meaningless pass-phrase, which means I'll have
to record it someplace and that means I'll probably lose it too.
Best,
Ziya
----------
From: Eric Reiss [mailto:elr_at_e-reiss.com]
I tend to agree with Ziya about "favorites." Password hints seem to
be more memorable if they are based on "facts," which remain constant
rather than "opinions," which can change.
Fact: my mother's maiden name
Opinion: my favorite book
My previous experience with freetext questions/hints has been very
good, particularly on multi-language sites (assuming the browser can
accept special alphabets (Danish, Norwegian, Swedish, French, German,
Spanish, etc.) Just for the record, by freetext, I mean that the user
can define his or her own question rather than merely choose from a
set list. Hence, if a user wants to be asked something odd, like
his/her shoe size, the option is available. Sometimes, we've provided
two or three "standard" questions to guide users who cannot come up
with their own question.
Although this is not overwhelmingly scientific, our own research
indicates that opinion-based hints don't work very well. Out of about
50 password requests on one site we examined, 8 people were unable to
guess the right answer from an opinion-based hint and had to
re-register. On another site over the same three-month period (and
with similar traffic and demographics), out of 34 requests for
passwords, only one user was unable to answer the fact-based hint
(apparently he had acquired a new pet with a new name).
Hope this helps.
Best regards,
Eric
Eric L. Reiss
Principal
e-reiss aps
copenhagen, denmark
www.e-reiss.com
(+45) 20 12 88 44
------------------------------
From: Andrew McNaughton <andrew_at_tki.org.nz>
On Tue, 28 Aug 2001, Ziya Oz wrote:
> So if I'm forced to play what seems to me to be a silly game, it'll be
> like remembering a 10-digit meaningless pass-phrase, which means I'll have
> to record it someplace and that means I'll probably lose it too.
I heartily agree with that. None of those questions have an obvious
answer for me. Now if you asked which was 'my' mountain or river, that
would be a different story. Perhaps its the generic nature of those
questions that makes them meaningless.
You'd probably get better memorability if you asked the user to supply the
question as well as the answer, not least because they'd spend longer
thinking about it, and that is the key to passing things into long term
memory. Also because they'd choose a question which meant something to
them.
Those questions are also poor on security grounds in that the answers are
relatively easy to guess. A list of a few hundred popular novels and
films would easily catch almost all users, and it's very easy to write a
script which will go through and try them in sequence. try numbers 1-100
for lucky numbers. 'chocolate' alone would probably get at least 10 or 20
percent of users' favourite food answer. Most web applications seem to
treat security as a nominal feature, and it's often true that the results
of a compromise would not be earth-shattering, but if we're going to
discuss usability of security features then lets keep security in the
picture a little.
User supplied questions would significantly improve security (though this
could not be considered strong). The size of the dictionaries required to
guess password-circumvention keys might not be much larger for any given
question, but any given dictionary would be useful for much fewer
accounts, and would likely require an attacker to go and put one together
for each user account they wished to target.
Andrew McNaughton
------------------------------
From: Eric Scheid [mailto:eric.scheid_at_ironclad.net.au]
apart from lucky number, all are potentially ephemeral opinions ....
which means that their answer today may not reflect their answer of
yesteryear.
e.
______________________________________________________________________
eric_at_ironclad.net.au i r o n c l a d n e t w o r k s
information architect http://www.ironclad.net.au/
----------
From: Surla, Stacy [mailto:SSurla_at_aspensys.com]
I forget my passwords all the time, so I've had a chance to use this
passwords-hints-thing on a number of sites. My favorite version requires,
as part of the registration process, that I enter in my own reminder
question or statement. Then, when I want to log in but have forgotten my
password, I enter my e-mail address and check the "give me my reminder" box.
I then get my reminder question, remember my password, fill in the password,
and continue onwards.
This seems more secure than just asking for my password to be emailed to me
(which of course I also do). And it allows me to choose the question that
would best remind me of my password. And it doesn't require the quiz that
your client has in mind.
~Stacy
----------
From: Eileen 'Turtle' Parzek [mailto:turtle_at_turtlesweb.com]
>1. Are five too many? not enough? just right? (in the number of questions
>the user can choose from).
Five is not a bad number - I wouldn't do more than that, though
>2. Are these questions proper--that is, from a usability standpoint, are
the
>potential answers to these questions memorable enough for users to react
to,
>once they have lost their original password?
Favorites are really a bad way to do it, because peoples favorites change
constantly and are *not* memorable. Stick to facts, such as
What is your
middle name
city of birth
mother's maiden name
and so on.
>3. Additional data as to whether people use these hints successfully? Any
>comparisons with free-text question and answer interfaces?
I have found this way of doing password reminders works really well but
don't have any 'official proof' beyond my own various usability testing.
Its important that it is understandable both when they create an account
and when they need later to access the hint. For example, when signing up:
Choose Username [ ]
Choose Password [ ]
Confirm Password [ ]
In case you forget your User Name or Password, give us a hint we can use to
remind you
Choose a Hint [ DD: Mother's Maiden name, Pet's name, City of
Birth] Answer: [ ]
Then, when they click on the 'forgot password' link later on, it will ask
them "What is ___________?" and give them a field to fill in the answer -
if they answer correctly, they can either be let into the site, directly
into a place where they can reset their password, or shown their old
password on screen so they can log in.
As a side note - though you didn't ask - I don't think it really makes
sense to combine this with emailing them the password - not sure what
others think on that - it seems to me that its option instead of emailing
the password. In other words, if you think your users will always have
access to their mail client when using the web, then you can set it up so
that if they forget a password, they have to enter their email which will
then trigger sending the password to their mail box. But what if they don't
have access to that where they are - ie., using a kiosk or a terminal at a
library? I prefer the hints because by answering a question, the
confirmation that they are who they say they are is established and the
password can be put right up on screen.
Hope this helps
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~
Eileen "Turtle" Parzek ~ phone~ 518-505-6617
http://www.turtlesweb.com mailto:turtle_at_turtlesweb.com
digital artist ~ information architect ~ project mgr ~ consultant
-----Original Message-----
From: Hillan, Julie G [mailto:hillanj_at_MMRF.MFLDCLIN.EDU]
Why not let the user enter their own reminder question? Just limit the
number of characters that can be entered.
For example, I have been asked this on some sites (of course, I don't
remember which sites at this moment -- sorry). I tend to enter something
like: *What is the cat's name?* Or, *Your grandfather's name?* Something
like that. If I forget a password and request a reminder, the question I
wrote is e-mailed to me, prompting me to remember.
I am a content person, not a programmer, so I don't know if this is a
problematic answer to your question from a programmer's standpoint. However,
to make certain of cross-cultural and cross-language usability, it would
work well. For example, perhaps in my (fictional) country, numbers are not
lucky or un-lucky, or I use different characters or speak Esperanto.
Whatever I enter as my prompt question will be sent to me via e-mail, so it
is customized perfectly.
Julie Hillan
Web Content Developer
Marshfield Clinic
hillanj_at_mmrf.mfldclin.edu
(715) 389-3331
----------
From: elizabeth mclachlan [mailto:ecm_at_otivo.com]
This topic is something we've come across in user testing from time to
time. Simply put, 5 is too many. Here are some of the reasons why -- and
these reasons are based on our experiences:
1. Users will not always be able to remember what things they entered as
hints at each site/application where they register their information.
2. Users "favorite" xyz will change.
3. Absolutes will work better as password hints -- a user's historical data
which is not subject to change of favor. For example: a) name of your
first pet b) mother's maiden name c) name of town/township/city where you
were born.
4. Some sites successfully pass password data to the user without the use
of hints. They match the email address the user registered under, and if
the email address is recognized, they will email the hint or the password
to the user. Passwords should never be displayed to the user in the
session - way too insecure -- either they get it from the hint or they must
go to greater lengths to get their password (reciept further info via email
or ??)
Good topic! I look forward to the summary.
-Elizabeth
----------
From: elizabeth mclachlan [mailto:ecm_at_otivo.com]
Sent: Wednesday, August 29, 2001 4:53 PM
To: Joe Sokohl
Subject: RE: Password hints redux
Hi Joe
The hint can be displayed on the screeen. From the hint, the user should
be able to remember the password somehow. So perhaps, now that I've had a
little more coffee -- the hint should relate to the password -- when the
user registers and enters a "password hint" hopefully they will entere
something that invokes their memory of the password they entered.
It is important to decide, I think, whether or not the succesful answering
of the hint questions get the user the password displayed on the
screeen? Depends on how strict the level of security needs to be. In my
last email, I recommended not doing that. Perhaps a successful answering
of hint questions results in the password being emailed, for example:
1. Where were you born?
user enteres correct answer, clicks submit ...
2. What is your mother's maiden name
users enters correct answer, clicks submit ...
3. Message: Thank you. Your password information has been emailed to you.
Regarding the additional action of opening another application for mail, we
have seen that most users appreciate that level of security. They may moan
and groan, but I've seen less of a positive reaction when the password is
displayed on the screen. This is especially true on sites where credit
card data has been passed.
I hope you find my info and feedback helpful.
Cheers and Thanks
Elizabeth
----------
From: Carolyn Snyder [mailto:snyder3961_at_mediaone.net]
> potential answers to these questions memorable enough for users to
Personally, I wouldn't be able to create a memorable answer to any of their
5 questions. Perhaps I should learn to develop stronger feelings for
inanimate objects... ;-)
Carolyn
Snyder Consulting
Focusing on the People side of Technology
(603) 216-2255
snyder3961_at_mediaone.net
www.snyderconsulting.net
-----Original Message-----
From: calvarez_at_core.eventricity.com
I think 5 is probably the maximum allowable -- personally, I'd use 3
questions, but there's no scientific method backing me up there.
> 2. Are these questions proper--that is, from a usability standpoint, are
the
> potential answers to these questions memorable enough for users to react
to,
> once they have lost their original password? Some people have indicated
that
> the permanence of such answers is problematic: people change their
favorites
> often enough not to remember what their current favorite <insert> is.
>
Actually, the bigger problem I see is that multi-word hints are EXTREMELY
difficult to reproduce.
Humans are good at remembering semantic content (meaning) but not good at
remembering precise and arbitrary data. If I choose 'favorite food' and
write down 'french fries', I will return to the site and remember the
concept of french fries, but I won't remember whether I initially typed
"French fries", "fries", or "french fries". Not good!
When I encounter sites with hint questions, I usually pick "pet name" or
"city of birth", since I'm pretty confident I'll remember those
later. Unfortunately, as Christina pointed out, those aren't very secure.
> 3. Additional data as to whether people use these hints successfully? Any
> comparisons with free-text question and answer interfaces?
Personally, I prefer free-text questions and answers. However, that is
largely because I can rely on myself choosing an effective and memorable
Q&A combo.
Having worked extensively on some membership-based websites, I have seen
that users will, in a hurry to finish signing up, simply skip over the
free-text Q&A or write "blah blah", "blah" in the blanks. I imagine users
of a site which required more privacy (bank, etc.) would be more careful,
but it's perhaps a dangerous assumption to make.
Cindy Alvarez
Senior UI Designer,
TeamSphere Interactive
===================================
----------
From: nkannan_at_earthlink.net [mailto:nkannan_at_earthlink.net]
As an avid user of tons of sites, I can put in my two cents.
Web users go to so many different sites these days that ***MOST***
use the same password and want to use the same prompt question
also. I use my "place of birth" if available and if not available from
a list I appreciate sites that allow me to ask this question and accept the
answer.
So my approach would be to allow say five standard questions and also
allow for a user to customize a question and an answer. To me this would be
most
usable!!
Regards
Nari
Nari Kannan
Linkblox
1725 Magnolia Circle
Pleasanton
CA 94566
Cell: 925 487 1768
Home: 925 600 7426
------------------------------
From: "Berna Tural" <Berna_Tural_at_ibi.com>
Subject: RE: SIGIA-L: Password reminder...recommendations?
I would have to agree with what Ziya wrote about this question. Whenever I
am prompted with these password reminder questions I always have to think.
It has to be something that is not going to change over time (as favorites
might) and something that I will not forget. Even the all too common "Where
you were born:" has caused me problems, because apparently though I write in
the city in most of the cases, I happened to enter the town in one of the
sites (what was I thinking? who knows...), and when I forgot my password I
had a REAL hard time recovering it.
My suggestion would be to ask an extremely specific question that will be
interesting but will not change. Something like "your first car's license
number or brand" or something. The two most important things about these
questions is that the answers should be the same over a course of a
lifetime, and they must be very specific. Favorites tend to be plural and
change by time.
Cheers,
Berna
------------------------------
From: Phil Glatz <phil_at_glatz.com>
At 09:11 AM 08/28/2001 +0200, Joe wrote:
>2. Are these questions proper--that is, from a usability standpoint, are
the
>potential answers to these questions memorable enough for users to react
to,
>once they have lost their original password?
From a technical standpoint, these would not be considered secure
passwords. I'm assuming the purpose of the passwords in this case is for a
site that does not contain information like credit card numbers or personal
information. If the goal is to keep non-registered users out, simple
passwords may be appropriate. There are plenty of easily available scripts
crackers can use to get past plain text passwords.
This is the great quandary of passwords - they need to be simple enough to
remember, yet difficult enough to be reasonably secure. If they are truly
secure they usually get written down, defeating their purpose. They also
should be changed often (and seldom are), and a different password should
be used for every place a password is required. These conflicting
requirements make it difficult to secure a system, because in the interest
of ease of use the average user violates one or more of the above rules.
This is a reason applications like Gator and Microsoft's new "Passport"
system will be popular - assuming you'd trust Microsoft with your passwords!
------------------------------
From: "christina wodtke" <cwodtke_at_eleganthack.com>
Subject: Re: SIGIA-L: Password reminder...recommendations?
> Fact: my mother's maiden name
> Opinion: my favorite book
mother's maiden name is a question often used by banks. I never give that,
for obvious reasons. I don't mind "name of your first pet" though I've been
seeing that more often, making it less secure (in my mind).
It's nice to offer both "send me a new password" as well as password hint,
if possible.
Although, personally, I'm starting to have so many email addresses it's
getting easier for me to remember my password than my user id, if my user id
is my email address. I went through five email address at ofoto the other
day before remembering which one I used... password was no problem. I wonder
if this will ever become common enough to be a problem, what with more and
more people signing up for dozens of free emails to avoid spam.
c
------------------------------
From: Ziya Oz <ziyaoz_at_earthlink.net>
christina wodtke wrote:
> I wonder if this will ever become common enough to be a problem...
As you noted, it's becoming a significant problem; costing corporations
literally millions of dollars to reset passwords constantly. So much so
that our friendly OS provider has identified it as one of the three
pivotal points of future web growth: Passport.
I think the question will soon be: what will you give up to get rid of all
these pesky login/authentication issues?
Despite the abuse SS cards and driver's licenses get, I've always admired
American peoples' long-lasting distaste for unique identifiers: from
cookies to national ID cards, to the Intel GUID.
Best,
Ziya
------------------------------
From: "David R. Austen" <dausten_at_hoosier.net>
Here's an idea. The name of a street that is important to you can be
the hint to the name of the person who lives on that street. (You
might never forget your grandparents' address if you are of the generation
that used snail mail.)
But a common name is not a good password.
So take some digits of the street number (or phone number) and
insert them in that street name (or family name) so there are no common
morphemes left.
DRA
------------------------------
From: "Matthew C. Clarke" <matt_at_corvu.com.au>
Among other things, "Eileen 'Turtle' Parzek" <turtle_at_turtlesweb.com> wrote:
>Then, when they click on the 'forgot password' link later on, it will ask
>them "What is ___________?" and give them a field to fill in the answer -
>if they answer correctly, they can either be let into the site, directly
>into a place where they can reset their password, or shown their old
>password on screen so they can log in.
>
>As a side note - though you didn't ask - I don't think it really makes
>sense to combine this with emailing them the password - not sure what
>others think on that - it seems to me that its option instead of emailing
>the password. In other words, if you think your users will always have
>access to their mail client when using the web, then you can set it up so
>that if they forget a password, they have to enter their email which will
>then trigger sending the password to their mail box. But what if they don't
>have access to that where they are - ie., using a kiosk or a terminal at a
>library? I prefer the hints because by answering a question, the
>confirmation that they are who they say they are is established and the
>password can be put right up on screen.
But what on a minute, let's remember that the purpose of a password is to
ensure authentication. Any web site or other service provider who can show
me my password either on the screen or by sending me email necessarily
violates that purpose.
Firstly, by proving that *they* know my password, they have proved it is not
private to me and therefore does not authenticate who I say I am. If the
service provider has my password stored somewhere, how can anyone be assured
that someone else doesn't also have access to it? Passwords ought always to
be encrypted so that no-one else, even the service provider, knows what it
is.
Second, the act of transmitting a password over an insecure channel such as
email immediately compromises the password.
It is actually a good test of a service provider's security to tell them I
have forgotten my password and ask how they can help. If they don't issue a
new password and send it to me by a reasonably secure channel after making
sure I am who I claim to be, then I would encourage them to review their
security procedures and note to myself never to use their services for
anything I value.
Matt.
________________________________
Matthew Clarke
Usability and Documentation
CorVu Australasia
Level 4, 1 James Place
North Sydney NSW 2060
Phone 61 2 9959 3522
Fax 61 2 9959 3583
web : www.corvu.com
----------
From: RO_at_bluedolphin.com [mailto:RO_at_bluedolphin.com]
My immediate concern is that the questions deal with opnion not fact...
opinion can change. My favorite food could be coquille st jaques (notice I
didn't use punctuation) a month ago, but maybe I've recently gone off
seafood due to a culinary mishap resulting in food poisoning and now my
favorite food is spinach salad?
If the question deals in facts (mother's maiden name, place of birth, birth
month, etc.) the user is less likely to make an error of memory - these
are unlikely to change over time.
+++++++++++++++++++++++++++++++++++++++++++++++
A truly happy person is one who can enjoy the scenery on a detour.
+++++++++++++++++++++++++++++++++++++++++++++++
Roxanne O'Connell
Product Development - User Interface Design
Blue Dolphin Group, Inc.
526 Boston Post Road, Wayland, MA 01778
Tel: 508.358.6739 - Fax: 508.358.6710
http://www.bluedolphin.com
Knowledge you need, sources you trust
----------
From: Susie Robson [mailto:srobson_at_macromedia.com]
You said the client suggested:
What is your--
favorite novel
favorite drink
lucky number
favorite food
favorite film
My problem with all of those is that it changes as I grow. The next novel I
read or movie I see might be my new favorite so this is constantly changing.
I don't have a lucky number nor have I ever thought about having a lucky
number. Food and drink? Again, like the novel and movie, this could change
daily, weekly, etc.
I would prefer to have the password hint be something that will remain
constant. WHich is probably why many places use Mothers Maiden Name, though
I understand that is more appropriate for the US. I;ve only had to deal with
the password issue once, for a high school reunion web page and the password
had a hint: what was the last name of the principal. Of course, they only
had one principal for many many years but it worked. For the target
audience, this remained a constant.
Not sure what else you could suggest, but just make sure it is something
that remains constant.
My opinion only.
Susie Robson
This archive was generated by hypermail 2.1.2
: Sun Nov 23 2003 - 22:54:48 EST
|
