Shostack + Friends Blog Archive


Don't Tell People What Not To Do!

[Update: If I’d been able to find the page which Arthur provided in a comment, I wouldn’t have written this quite like this.]

It’s rare to see a substantial usability mistake at Google, and so this jumped out at me. Saar Drimer has a post on the new “Gmail password strength check,” in which he quotes Google’s password advice:

  • Don’t use a password that is listed as an example of how to pick a good password.
  • Don’t use a password that contains personal information (name, birth date, etc.)
  • Don’t use words or acronyms that can be found in a dictionary.
  • Don’t use keyboard patterns (asdf) or sequential numbers (1234).
  • Don’t make your password all numbers, uppercase letters or lowercase letters.
  • Don’t use repeating characters (aa11).

What jumps out at me is that this is all negative: Don’t do this, don’t do that. This from a company famed for usability. What it should say is “Create a password by choosing a phrase, and use the first letter of each word of the phrase. (capbcapautfloewotp).” I’m pleased to be able back that up with experimental results, in the form of Jianxin Yan, Alan Blackwell, Ross Anderson and Alasdair Grant’s “The Memorability and Security of Passwords — Some Empirical Results.”

Now, if you take that advice, it is only possible to violate rules 1 (using the example) and 5 (using all lower-case letters). So rather than offering one bit of good advice and a caveat, they offer six caveats, and no advice on what to do.

As an aside, I wanted to link to the password change page, but trying to get there, When I finally found it and clicked the “password” link, I was told my session was invalid. Repeatedly. So if Google actually offers positive advice, I wasn’t able to find it.

4 comments on "Don't Tell People What Not To Do!"

  • Saar Drimer says:

    I’ve written this a few months ago… did you check if it still the same?
    You’d think google would go the extra mile and check for these automatically. However, usability-wise, they might shoot themselves in the foot since a lot of passwords would not “pass” and they will get complaints. In all honesty, why should they care if the password is weak as long as they warned the users? I can’t see an incentive for forcing a “good” passwords from google’s point of view.
    “don’t do…” reminds me of a George Carlin bit on the 10 commandments:
    “Two is all you need; Moses could have carried them down the hill in his fuckin’ pocket. I wouldn’t mind those folks in Alabama posting them on the courthouse wall, as long as they provided one additional commandment:
    Thou shalt keep thy religion to thyself.”
    (A freind sent it to me yesterday! Amazing timing.)

  • arthur says:
    FWIW, they seem to have fixed it somewhat. From the above URL:
    “Tips for creating a secure password:
    * Include punctuation marks and/or numbers.
    * Mix capital and lowercase letters.
    * Include similar looking substitutions, such as the number zero for the letter ‘O’ or ‘$’ for the letter ‘S’.
    * Create a unique acronym.
    * Include phonetic replacements, such as ‘Luv 2 Laf’ for ‘Love to Laugh’.”
    all of which appears before the what not to do section.

  • Chris Walsh says:

    Don’t tell me what not to tell people not to do! :^)

  • Saar Drimer says:

    So I checked…
    1. I had to dig through the g-mail help section to find how to change the password! (it is not obvious, try it.)
    2. It still works as I described it in my post.
    This piece of advice is debatable:
    “Never write your password down.”
    It’s not whether you wrote it down that makes it insecure, but rather where you keep it.

Comments are closed.