Last post Dec 11, 2008 06:39 PM by dalepresjunk
Nov 14, 2008 06:40 PM|gerrylowry|LINK
All passwords must be at least 6 characters long and contain
at least 1 uppercase character,
at least 1 lowercase character, and
at least 1 numeric character (digit).
EXAMPLE: to see the ABOVE password criteria, I have to enter an unacceptable password first.
imo, a best practice to show the criteria in proximity to where an end user will CREATE
that password. otherwise, the end user experiences unnecessary frustration.
meta ui recommendation
Nov 14, 2008 08:33 PM|bullpit|LINK
You are absolutely positively right on this. This issue has been raised before but no result yet.
Nov 14, 2008 10:11 PM|SGWellens|LINK
That is a great suggestion.
And, since it doesn't modify any code or logic, it could be implemented with virtually no testing.
Nov 20, 2008 01:44 AM|TATWORTH|LINK
>EXAMPLE: to see the ABOVE password criteria, I have to enter an unacceptable password first.
Not giving the information at the outset, probably arises from the security through obscurity thinking. There are systems which never state what the rules are, however whilst the hacker will persist and work out exactly what the rule is, the ordinary user
just gets irritated.
Nov 20, 2008 08:11 AM|bullpit|LINK
probably arises from the security through obscurity thinking
May be...and if thats the case then I think it still does not help. To get to the registration page, a user has to click the Join link, then fill out a bunch of fields and probably some other registration steps after that (I don't remember exactly). If it
is a person who is trying to hack (which I doubt would be the case), then she/he can get the rules easily. If it's a bot and if someone creates a bot complex and smart enough to go thru all these registration steps, then IMO she/he has better systems to hack
than this one.
Nov 21, 2008 10:40 AM|gerrylowry|LINK
No offense meant: I'm a bit more cynical, perhaps because in my 40+ years of programming, I've seen a lot of lazy programmers.
Not showing the password requirements first was likely an oversight initially. Given that this deficiency
has been raised more than once implies that laziness may be a factor. OTOH, it could simply be
a case of too many alligators*, i.e., insufficient time to revisit this issue because of too many other demanding issues.
I doubt that "security through obscurity thinking" is a factor. Of course, I could be wrong since I was not involved in the design
of this forum. Regardless the reason, nevertheless, fixing this nit is a worthwhile task imo.
BTW, while my suggestions may seem like unthankfulness, please note that I am quite grateful that these
forums exist and am equally grateful for the valuable contributions made to these forums.
As programmers, we create software and then leave it alone. Our end users sadly must use our software
over and over again, perhaps for years. It makes sense that a small extra effort goes a very long way.
regards ~~ gerry
* [it can be difficult to focus on the task of draining the swamp when one is up to her/his buttocks in alligators]
Feedback on this website
Nov 21, 2008 12:42 PM|TATWORTH|LINK
I have seen "security through obscurity thinking" group argue that password complexity should not be disclosed ever! Then they have to disclose it at the end of process. All this frustrates the user.
Let's ask for this nit to be fixed.
Dec 11, 2008 06:39 PM|dalepresjunk|LINK
I'm all for it. Like others said, this is a 30 minute fix at most.
This is an example, and there are plenty on this site, of what happens when web developers are in complete control of specs, design, usability, and development. I have been a web developer for 14 years with many years of other development before Windows
and even before DOS. I know that I do not set the requirements; the customer (at the business level, not the user level) sets the requirements. I may do a lot of design work but designers and marketing often do better and, in any case, all designs go through
usability reviews. Eventually, I have a design and technical requirements - the parts of the project I am most suited for completing successfully. Developers are not designers, are not - no matter how much they will argue otherwise - usability experts, and
should not be performing those functions.
I hope that Microsoft will require that these issues be fixed.
Let me add that this whole issue goes away if asp.net switches to using Live login - which is another thing they should do. All other Microsoft sites, except those run by the company who runs this, use Live login.