Awkward UI text displayed to end-users for constraints [#2598708]

Have a look at this:

screenshot of awkward UI text

Not great from an end-user's perspective.

There are a few key issues I have with this text:

1. You should focus on helping the user achieve a positive outcome, not just bombard them with a list of problems to solve
2. It's not just any old password on the street, it's the user's password
3. You don't need to start every list item with "Password must have" (which I instinctively read in a robot voice in my head)
4. Words like "compliance" and "requirements" are business words for developers and stake-holders found in technical documents, they're not very friendly for end-users who are often already feeling stressed when needing to deal with passwords and security.

What about something like this:

Your new password is not strong enough. Please follow these guidelines:

- Include at least 1 letter
- Include at least 1 number
- Make sure the password is at least 8 characters long

Comment	File	Size	Author
#10	2598708-10.patch	8.94 KB	NancyDru
#10	7.x-2.x: PHP 5.3 & MySQL 5.5, D7 21 pass
#7	2598708-7.patch	6.95 KB	NancyDru
#7	7.x-2.x: PHP 5.3 & MySQL 5.5, D7 19 pass, 2 fail
#3	2598708-3.patch	6.51 KB	NancyDru
#3
	Screen Shot 2015-10-22 at 11.53.45 am-1.png	31.8 KB	thedavidmeister

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

22 October 2015 at 01:35

thedavidmeister created an issue. See original summary.

Comment #2

thedavidmeister CreditAttribution: thedavidmeister commented 22 October 2015 at 01:44

Bonus points if you can base comments on the diff between current state and needed requirements. That would truly be helping the user problem solve.

e.g.

Your new password is not strong enough. Please update the following:

- Include at least 1 more letter
- Include at least 1 more number
- Make sure the password is at least 3 characters longer (for a total of 8)

Comment #3

NancyDru

she/her/hers

English

Boston

CreditAttribution: NancyDru commented 25 January 2016 at 16:58

File	Size
2598708-3.patch	6.51 KB

Here's a start.

Comment #4

NancyDru

she/her/hers

English

Boston

CreditAttribution: NancyDru commented 25 January 2016 at 17:01

Passwords must meet the following requirements:

You must include both upper and lower case letters.
You must have at least 2 letter(s).
There are certain words that are not allowed.
Make sure the password is at least 8 characters long.
You must have fewer than 2 identical characters in a row.
You must meet a strength level of 50.
Include at least 1 digit(s).
You may not use the 1 past passwords.
You must include at least 1 symbol(s).
You may not include your username.

Comment #5

AohRveTPV CreditAttribution: AohRveTPV commented 26 January 2016 at 01:27

1. You should focus on helping the user achieve a positive outcome, not just bombard them with a list of problems to solve
2. It's not just any old password on the street, it's the user's password
3. You don't need to start every list item with "Password must have" (which I instinctively read in a robot voice in my head)
4. Words like "compliance" and "requirements" are business words for developers and stake-holders found in technical documents, they're not very friendly for end-users who are often already feeling stressed when needing to deal with passwords and security.

Agreed, except I'm not sure "requirements" is too unfamiliar or threatening to lay people.

Your new password is not strong enough. Please follow these guidelines:

I think it is inaccurate to refer to requirements as mere guidelines. Guidelines are just suggestions. Also, in line with your point #1, I think it would be good to avoid negative language if possible ("not strong enough").

You must include both upper and lower case letters.
You must have at least 2 letter(s).
There are certain words that are not allowed.
Make sure the password is at least 8 characters long.
You must have fewer than 2 identical characters in a row.
You must meet a strength level of 50.
Include at least 1 digit(s).
You may not use the 1 past passwords.
You must include at least 1 symbol(s).
You may not include your username.

To me the "You may" and "You must" comes off as imperative or even a bit accusatory. So I think it would be better to avoid the "you" in the requirements list, which is unneeded anyway.

Here is proposed text, based on NancyDru's above, that attempts to address thedavidmeister's four points, and also minimizes negative language.

Password requirements met:
[ meter ]

Your password must:
- Include both upper and lower case letters
- Have at least 2 letter(s)
- Not include certain disallowed words (Or: "Avoid including...")
- Be at least 8 characters long
- Have fewer than 2 identical characters in a row
- Have a strength level of at least 50
- Include at least 1 digit(s)
- Be different than your past 1 password(s)
- Include at least 1 symbol(s)
- Not include your username (Or: "Avoid including...")

Instead of "Your password must:", perhaps "For security, please change your password so it:"

If "requirements" is really objectionable, perhaps instead of "Password requirements met", "Password criteria met". I suspect the author of this branch used "Password compliance" instead of "Password strength" because it doesn't really make sense to say something has "1 of 4" strength.

Comment #6

NancyDru

she/her/hers

English

Boston

CreditAttribution: NancyDru commented 26 January 2016 at 14:16

Thanks. I'll try to make those changes today. Also I'd like to see if I can use format_plural() rather than (s). That will require adding a second string to the plugin definition, something like:

$plugin = array(
  'admin form callback' => 'password_policy_int_count_admin_form',
  'constraint callback' => 'password_policy_int_count_constraint',
  'message' => t('Include at least one digit.'),
  'plural' => t('Include at least @int_count digits.'),
  'prime value' => 'int_count',
  'config' => array(
    'int_count' => NULL,
  ),
);

Does anyone have a problem with that?