Time to re-think those password labels.

We need to talk about passwords.

Or, more specifically, we need to stop talking about “passwords”.

The term “password” has been around since the 1960s. At that time, a user’s biggest IT security threat was the colleague sitting next to them in the office, so prompting a user for a password (implying 5-8 characters) was good enough.

50 years on, things have changed.

Our users are entrusting us with much more of their data, and that data is accessible from all around the world, and yet we are still prompting our users for a password to protect it all.

A lot of users are still under the misconception that the biggest threat is an actual person guessing their password, and they therefore feel that a single word (or variation of it) is good enough. The IT Industry’s continued use of the term “password” in user interfaces is only reinforcing that misconception.

Most IT people recognise that brute-forcing (with or without dictionary checking) is a far bigger risk. Most IT people also know that the time taken to brute-force a password increases exponentially with the length of the password¹. Therefore, it makes sense to do everything we can to encourage users to select longer passwords.

As I see it, a super-simple way of doing this is to stop prompting users for a “password” and to start prompting them for a “passphrase” instead. This implies “multiple words”, and that immediately puts the users likely choices up in the realms of 12+ characters.

Best of all, from a technical standpoint, this only requires a trivial UI change that your devs can make in no time (assuming that your devs are already hashing user passwords to a fixed-length hash in the backend, which I really hope that they are). Note that I am literally just talking about updating the UI labels here - you can leave all your other password policy stuff as-is.

A huge part of IT security comes down to educating users, and encouraging users to make good password choices is part of that education. Therefore, I think it’s worth us all giving careful thought to the wording surrounding login credentials in our web apps, and what message that sends to our users.