WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 17 months ago

#40237 new enhancement

Educate users about modern password best-practices

Reported by: iandunn Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords: has-ux-feedback
Focuses: Cc:

Description

We've done several things over the past few years to encourage users to use stronger passwords, but we've never tried to educate them about why it's important. It's obvious to most of us, but I think it's common for the average user to think things like, "Why would anybody want to hack into this small site I created for a non-profit?"

If someone doesn't understand why having a strong password is important, they're not going to be motivated to take any steps in that direction, and they may respond to any attempts to push them in that direction by adopting insecure workarounds to avoid it, like post-it notes stuck to their monitor with the password they reuse on all sites.

It seems like educating users about the risks of weak passwords, and easy ways to follow modern best practices, could be very effective.

My first thought would be something like this:

  1. When a user is manually entering a password, if zxcvbn detects a low entropy score, then they're shown a message saying something like, That password won't protect your account from hackers. Automated bots attempt to gain access to all accounts on the Web 24/7, no matter how small. Don't worry, though, there's an easy way to use very strong passwords, and you'll never have to type or remember them. Learn more.
  2. Clicking on Learn more would reveal a modal with a brief explanation of how to use password managers, with a link to a longer article (maybe similar to WordPress.com's, but more .org-specific).
  3. The modal would also have a video embedded, since many people are more willing to watch a video than read a long article. We could put the video on WordPress.tv and subtitle it in all of the locales.

That's just one idea though, does anybody have any others?

Change History (8)

#1 @iandunn
2 years ago

  • Keywords ux-feedback added

This ticket was mentioned in Slack in #design by karmatosed. View the logs.


18 months ago

#4 @mizejewski
18 months ago

  • Keywords has-ux-feedback added; ux-feedback removed

This guiding nudge is a great idea. Video presents more challenges including accessibility concerns, so maybe concentrate first on a succinct page inspired by the WordPress.com version. Can we get the Docs Team involved? (@kenshino)

#5 follow-up: @Kenshino
18 months ago

Can do. And sounds like a good task for Helphub.

Quick thoughts on the text, our users may not have English as their first language. Words like entropy should be avoided. The simpler the language, the better.

We might want to explain that it's the bots that are guessing passwords, so they understand why ilovefootball1991 isn't a safe password.

@milana_cap any thoughts? :)

#6 in reply to: ↑ 5 @milana_cap
18 months ago

Replying to Kenshino:

Can do. And sounds like a good task for Helphub.

Quick thoughts on the text, our users may not have English as their first language. Words like entropy should be avoided. The simpler the language, the better.

We might want to explain that it's the bots that are guessing passwords, so they understand why ilovefootball1991 isn't a safe password.

@milana_cap any thoughts? :)

Sure, we can do it and it should be in HelpHub as well. I'll raise this on tomorrow's meeting @Kenshino.

This ticket was mentioned in Slack in #docs by zzap. View the logs.


18 months ago

This ticket was mentioned in Slack in #docs by zzap. View the logs.


17 months ago

Note: See TracTickets for help on using tickets.