[Update: If I’d been able to find the page which Arthur provided in a comment, I wouldn’t have written this quite like this.]
It’s rare to see a substantial usability mistake at Google, and so this jumped out at me. Saar Drimer has a post on the new “Gmail password strength check,” in which he quotes Google’s password advice:
- Don’t use a password that is listed as an example of how to pick a good password.
- Don’t use a password that contains personal information (name, birth date, etc.)
- Don’t use words or acronyms that can be found in a dictionary.
- Don’t use keyboard patterns (asdf) or sequential numbers (1234).
- Don’t make your password all numbers, uppercase letters or lowercase letters.
- Don’t use repeating characters (aa11).
What jumps out at me is that this is all negative: Don’t do this, don’t do that. This from a company famed for usability. What it should say is “Create a password by choosing a phrase, and use the first letter of each word of the phrase. (capbcapautfloewotp).” I’m pleased to be able back that up with experimental results, in the form of Jianxin Yan, Alan Blackwell, Ross Anderson and Alasdair Grant’s “The Memorability and Security of Passwords — Some Empirical Results.”
Now, if you take that advice, it is only possible to violate rules 1 (using the example) and 5 (using all lower-case letters). So rather than offering one bit of good advice and a caveat, they offer six caveats, and no advice on what to do.
As an aside, I wanted to link to the password change page, but trying to get there, When I finally found it and clicked the “password” link, I was told my session was invalid. Repeatedly. So if Google actually offers positive advice, I wasn’t able to find it.