GNOME Bugzilla – Bug 780002
Lack of feedback in the UI when trying to change password and the password is weak.
Last modified: 2017-05-03 09:42:38 UTC
While helping a new starter set up their laptop today we tried to change their password: Entered the placeholder password in the "Current Password" field (a tick appeared), entered a new one in the new password field, and entered the confirmation copy in the third field (another tick appeared). These were the only visible changes in the UI. Eventually worked around it by firing up a terminal and running passwd, and only later learned that the middle field also required a tick. Indicating why a value is being rejected (or even that it is being rejected) would probably make for a less frustrating user experience. I should note that I have no idea what the user was entering into those fields so I have no idea whether what was entered was weak (although I'm guessing that was what gnome-control-center decided - it just didn't seem to indicate this in any obvious way).
Thanks for your bug report. The checkmarks are used as a "positive" feedback for each entry and under the "New Password" entry is a password strength indicator with a textual description. I am not sure what more can be done for it... The "negative" feedback in case of wrong passwords has been replaced by the "positive" on designer request (Bug 702476). Allan, don't you have any comment?
There was a faint white-on-grey bit between the password boxes which looked like it might be a password entropy bar - but it didn't change at all, it just remained inert. I'll run through the process again when the user is next in the office to re-confirm the details above (they're the first one with that version of gnome (on wayland)) so it's possible something isn't working right there.
Created attachment 348205 [details] Dialog box with weak password This isn't exactly what we saw, as the user is on a newer version of gnome, but it's pretty close. Under the viewing conditions: HIDPI display on a laptop, brightly lit office, ultra-reflective display panel which seems to be the norm nowadays: The text below the entropy bar was almost invisible (certainly didn't notice it at the time) and as you can see the entropy bar hasn't changed in any way.
The password strength is determined by libpwquality, which is pretty hard unfortunately. The entered password is probably too weak for libpwquality, so you can't see any change on the strength indicator...
That seems... bad? Surely the deafult should be red, or low quality, not an inactive widget with some easy to miss text?
Yes, probably, it would be a good idea to show the first level of the strength indicator by default, or once a password length is bigger than 0. Maybe we should also set some custom colors for the strength indicator (Red - Yellow - Green). Allan?
(In reply to Ondrej Holy from comment #6) > Yes, probably, it would be a good idea to show the first level of the > strength indicator by default, or once a password length is bigger than 0. > Maybe we should also set some custom colors for the strength indicator (Red > - Yellow - Green). Allan? Increasing the number of levels in the bar and using color coding (red - yellow - green) would help a lot. A short or weak password should show a low bar with red segments. I don't want the UI to become too negative, but there might be scope to make the feedback more direct in cases where the password is being rejected. If it's not long enough, it could say "Password needs to be longer. Try adding more letters, numbers and punctuation." for example. I'm also conscious that there seems to be a mismatch between the strength bar and the feedback. For example, I can enter a password that fills the bar 1/4, and the message says "Good password!". To me, 25% doesn't mean "good".
Created attachment 349292 [details] [review] user-accounts: Remove unused password hints Short password hints are not used for some time. Let's remove them.
Created attachment 349293 [details] [review] user-accounts: Add strength indicator level for weak passwords Add first level for short, or weak passwords to be obvious that the strength indicator signalize something.
Created attachment 349294 [details] [review] user-accounts: Improve password hints Don't say "Good password!" for all acceptable password (e.g. weak passwords). Say explicitely that password needs to be longer for short passwords.
Created attachment 349295 [details] [review] user-accounts: Change colors of password strength indicator Use red-yellow- green colors for strength indicator levels.
Created attachment 349296 [details] Screencast of password dialog improvements Allan, thanks for your comment. Here is a screencast for the proposed password dialog improvements, what do you think?
(In reply to Ondrej Holy from comment #12) > Created attachment 349296 [details] > Screencast of password dialog improvements > > Allan, thanks for your comment. Here is a screencast for the proposed > password dialog improvements, what do you think? This looks like an improvement to me. Two tiny nit picks (not sure if they are new issues or not): 1. There's a small gap between the filled sections of the strength bar and the end of the trough on the right 2. One of the strings reads "Adding more letters, numbers and punctuation will make it stronger." The "it" seems a bit ambiguous - maybe better to say "Adding more letters, numbers and punctuation will make the password stronger."
Review of attachment 349292 [details] [review]: sure.
Review of attachment 349293 [details] [review]: What's the matter with starting with 0 or 1 here? Anyway, it is fine.
Review of attachment 349294 [details] [review]: Push after Allan's suggestion on the "it".
Review of attachment 349295 [details] [review]: lgtm. I think we could propose to have the strength indicator level as a widget. I can see it being used elsewhere.
Attachment 349292 [details] pushed as 9e41233 - user-accounts: Remove unused password hints Attachment 349293 [details] pushed as e89d4f5 - user-accounts: Add strength indicator level for weak passwords I took the liberty to update and rebase the patch bellow accordingly. Attachment 349294 [details] pushed as cd1f96f - user-accounts: Improve password hints Attachment 349295 [details] pushed as 4cad3ca - user-accounts: Change colors of password strength indicator The small gap in the strength bar could be filled as another bug.