Password Reset
From:
Michael JasonSmith
Date:
Oct 28 23:47 UTC
Short link
I have added a prototype Set Password page to this group
http://groupserver.org/groups/development/set_password_prototype
It is very similar to the existing Change Password page, which is found in
every user's profile. However, I am concerned about some of the language used
on the page, and the restrictions that we should place on passwords.
For the second password-entry, I used “Confirm Password” as the label. What do
you all think of this label? I have also seen
* “Repeat Password” (GroupServer 0.x),
* “Retype new password” (GNOME, Wikipedia),
* “Password (again)” (LiveJournal),
* “Confirm” (Facebook),
* “Confirm new password” (Google) and
* No label at all (Slashdot).
From the above sample, I am reasonably confident that there is no standard
label. I also suspect that most people will fill out the second box as a matter
of course, regardless of the label. However, there is no harm getting the
details right ☺
My second concern is what restrictions, if any, do we place on the password?
Currently, the JavaScript embedded into the page ensures that the password is
set to something, so no blank passwords are allowed. However, we could ensure
that the password contains at least one number, a mixture of upper and lower
case, and cannot be cracked by the standard tools. Alternatively, we could use
a "strength metre", like Google, to rate the password.
I am against placing onerous restrictions on passwords, because that will annoy
users. I also dislike the meter idea because it will be confusing to those who
are not familiar with security, and not help those who are familiar with
security. However, I am willing to be convinced otherwise on either count ☺