passwords, security and human computer interaction

Screenshot from 2013-05-29 08:49:42
I’ve written a lot about the importance of changing your password and keeping your accounts safe. We don’t currently have a comprehensive password policy, but with our student account I have a great opportunity for trying things out that can be applied up the chain.

This year was the first time we did student accounts, and I gave them strictly random passwords. They were terrible, hard to memorize and students hated them (at first). As with many things, after a couple weeks of grumbling they memorized their passwords and were fine for the rest of the year. This year I wanted to enforce good principles of security, but give them the option of several passwords.

I wrote a quick password-changer (code) with a few goals in mind:

  • let a user choose from a set of good passwords
  • generate ‘pronouncable’ passwords
  • authenticate user using existing password
  • store password where it can be retrieved by school administration

Since I didn’t want students to have the ability to type in any password, I implemented it using radio buttons. This gives me the control of what types of passwords they can have, but gives them the freedom of choosing from an infinite number of them.

Unfortunately, what in concept seemed great and obvious to me was actually somewhat confusing for the students. We had a few common problems:

  • not actually making a password selection (that is, clicking on a radio button)
  • confusing the terms ‘username’ with ‘email’ (adding @students.logoscambodia.org onto their username)
  • emailing me directly with a password they want, or the password they selected

After adding some more clear help text, we had some greater success. I’d still like to make the process more clear though – especially before I use it for staff! Any thoughts on how?