Talking Usability: There’s No Such Thing as a User-Friendly Password

By David Dick, Fellow

Passwords are required for all types of online activity to authenticate the user.  One thing is certain: until technology provides a better solution to passwords, we must learn to create strong passwords and remember them in order to safeguard our personal data from hackers.

There are ways to circumvent the effort to remember passwords by checking the box labeled “Remember Me.”  “Remember Me” works well for mobile devices because the keys on the keyboard are often too small to enter a complex password.  Just remember to create a security code in case the mobile phone is stolen to prevent thieves from accessing the data. Come to think of it—many people do not use security codes for their mobile devices because it’s another number to remember.

Although there is an international standard for the definition of product usability (ISO 9241) there is no corresponding standard definition for password usability. In “Users are not the enemy,” Adams and Sasse identify three usability characteristics that users desire of passwords: easy to remember, able to be used across multiple systems, and rarely change.  You will learn why these desired characteristics do not contribute to creating and managing strong passwords.

If you have ever forgotten a password and created a new one, you have seen these four guidelines:

  1. Use at least eight characters; a combination of numbers and letters is best.
  2. Do not use the same password you have used with us previously.
  3. Do not use dictionary words, your name, e-mail address, mobile phone number or other personal information that can be easily obtained.
  4. Do not use the same password for multiple online accounts.

If you are like me—you ignored the guidelines and created an easy to remember password. But do you know why these guidelines are important and why you need to adhere to them?

Use at least eight characters; a combination of numbers and letters is best. Most fields for passwords are not a fixed eight-character length. Nevertheless, we create eight character passwords because they are easier to remember. Unfortunately, the eight-character password is less secure than a password containing 16 or 24 alpha numeric characters with dashes and special characters.  The password “love1234” is less strong, but easy to remember.  A password that uses letters from a phrase such as “I’ll see you at the STC Summit, May 2017” written as “ilL-cu-@-stc-SumiT-05/2017” is not only easy to remember but also a strong password.

Do not use the same password you have used with us previously. If the website was successfully hacked before, there is a strong probability that the hackers will use the same passwords to hack the website again. Thankfully, most websites prevent users from reusing a password when requesting a new password. If you successfully circumvented the validation of the password by adding a number at the end of the password, the next guideline becomes important.

Do not use dictionary words, your name, e-mail address, mobile phone number or other personal information can be easily obtained. One of the methods hackers use to gain access to users’ data is to use a “Dictionary Attack”, which is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.  Ironically, many websites allow users to use names, e-mail address, mobile phone numbers, and other personal information for User Names.  If developers implement a method to measure the strength of a password, allow users to select a system-generated password, and define rules to check for dictionary words, e-mail addresses, or phone numbers, then the password is one step closer to being “hacker proof”.

Do not use the same password for multiple online accounts. We are likely to use the same password because we don’t want to burden ourselves with remembering too many passwords.  Hackers attack multiple online accounts reusing user credentials (user name and password) in hopes of getting a match.  If we use the same password for multiple online accounts we help the hackers and put ourselves at risk of having our data stolen.  Even worse, our account could be held for ransom until we pay a fee to release it.

Online retailers make the registration process simple by allowing easy-to-remember passwords and security questions so as not to frustrate users; however, ease of recall comes at a risk.  Strong passwords can slow or often defeat the various attack methods of compromising a computer’s security. Until technology provides a better substitute for passwords, the need for strong passwords is not going away and neither is the pursuit for user-friendly passwords. Maybe an amendment to ISO 9241 is necessary to create a standard definition for password usability.

References

Griffith, Eric. Password Protection: How to Create Strong Passwords, PC Magazine, November 29, 2011

Adams, and M. A. Sasse, “Users are not the enemy,” Communications of the ACM, vol. 42, no. 12 (December 1999), pp 40-46. http://dx.doi.org/10.1145/322796.322806.

Talking Usability: Lessons Learned About PDF Accessibility

By David Dick | STC Fellow

 

Many of us hold this assumption to be true—we can convert text documents into Accessibility-compliant Portable Document Format (PDF) documents by saving them as PDF. Any desktop publishing tool can create PDF files using “Save as Adobe PDF”; however, the PDF files it creates are not always Accessibility-compliant for screen readers.

One of the tasks of my current job is to convert documents into Accessibility-compliant PDFs. A document is considered accessible if it can be read by people with disabilities. This includes access by people who are mobility impaired, blind, low vision, deaf, hard of hearing, or who have cognitive impairments. These users rely on screen readers to dictate the contents of the document to them, including images, tables, and graphics. The reason to convert a source file to a PDF is because PDF is universally compatible with screen readers, whereas a source file saved in its native format might not be.

The instructor teaching me how to create Accessibility-compliant PDFs said that he spends many hours correcting accessibility errors in PDF documents. Unfortunately, he had to correct the accessibility errors again whenever the source document changed. It was apparent to me that the seamless conversion of a source document to an Accessibility-compliant PDF document begins with an Accessibility-compliant source document.

The following are a few tips I learned to build accessibility into source documents.

  • Document Title. To a search engine, a PDF document is just another web page. Search engines read the “Title” document information field. If it finds nothing, the search engine’s indexer tries to guess the document’s title by scanning the text on the first few pages. This usually doesn’t work, and produces incorrect and improperly formatted results. If the indexer finds text in the Title field, it will use it, regardless of whether that text is meaningless or not.
  • Headings. Never create headings by applying a bold font to titles and increasing the font size to a title. Best practice is to directly modify titles using Heading styles. When converting the source document to PDF, Heading 1, 2, 3, etc., convert to heading tags, which create structure for screen readers.
  • Alternative text. Alternative text (Alt text) allows the content and function to be understood by screen readers, which is why Alt text is required for all images, graphs, diagrams, and tables.
  • Tables.  For tabular data, use the correct table mark-up. Avoid using spaces, tabs and line breaks to emulate the table layout. Tables require headings, which are added by modifying the Table Properties. To a screen reader, a table without a table header is only an object with columns. For Word documents, select the Table Properties, select the Row tab, and check “Repeat as header at the top of each page.”
  • Hyperlink Text.  Hyperlink text requires a description of the link destination instead of providing only the URL. Mask the URL with an appropriate alternate text so that screen reader users can easily determine its purpose. For example, the statement, “The STC Home Page provides links to member information” which is more descriptive and informative than “click here”, “read more”, “for more information see…”  Use the Screen Tip option to insert a description about the link.
  • Use of Paragraphs (¶) to create white space. Screen readers read paragraphs (¶) as empty space. To create white space between titles, bullets, and headings, modify the style’s paragraph spacing.

Use a professional PDF editing tool such as Adobe Acrobat Pro to test the document for accessibility and correct errors. I encourage you to test the PDF document with a screen reader to validate the information follows properly. Tags define the reading order and identify headings, paragraphs, sections, tables and other page elements. You might have to make minor manual corrections to the tags so that the information flows in the correct order.

When accessibility is incorporated into the source file, the PDF requires fewer corrections. If changes are only made in the PDF document and not to the source file, accessibility work will need to be done each time the source file is updated. When you create accessible documents for people with vision deficiencies, you make information usable for all.

Good resources to learn about PDF accessibility:

UC Berkeley Event, May 2008, PDF Accessibility and Usability Issues. In this presentation, Sean Keegan, a premier expert on document and Web accessibility, addresses usability and accessibility issues of PDFs, strategies for the creation of accessible electronic documents, and the appropriate use of software applications to ensure accessibility of Web documents.

European Blind Union. Making Information for All provides guidance on how to make electronic documents accessible for assistive technology.

Adobe Acrobat DC Repair describes the process for making PDF documents accessible.

 

Talking Usability: Technology is Changing, But Not At the Workplace

By David Dick, Fellow

We, as savvy consumers, must have the latest technology. We buy the newest smartphone because it has something that our current smartphone doesn’t have. We download the latest Web applications because we believe they will empower us. Our Internet connection is as fast as the provider can deliver because we have no patience to wait for anything. Most importantly, we make the time to learn because we want to become savvy users. Our workplace; however, is another story.

At the workplace, the PC that is more than five years old might be obsolete and slow, but it gets the job done so there’s no justification to replace it. The software that generates reports involves many manual tasks that are automated by a newer version of the software, but there’s no budget to purchase it. The corporate intranet is slow because servers cannot cope with the growing number of users, but there’s no budget to upgrade it. There is no time to learn how to use existing office tools smartly because there is too much work to do.

The cost of introducing new technologies to the workplace is not cheap because you are not buying something for one person to use—you are buying something for hundreds or thousands of people to use. For example, upgrading from Microsoft Office 2010 or 2013 to Office 2016 or Office 365 requires licenses for all users. Additionally, the upgrade might require upgrading PCs to a compatible version of Windows, which will require upgrading other office applications so that they are compatible with the newer version of Windows. Often, new office applications function faster and are less prone to system crashes when running on a new PC.  Finally, the upgrade will likely necessitate training users on the new features and functions. You can easily see the impact that the introduction of one new technology has on the organization and all users.

Attending the annual STC Summit is a wonderful opportunity to speak with vendors about their newest tools and technologies for the workplace. It’s easy to become excited to learn how these tools and technologies will improve the user experience. Unfortunately, not everyone works for a company whose technology is always improving. So for those of you who are not working at tomorrow’s workplace today, make good use of what you have and provide the best user experience you can.

Talking Usability: My Father’s Typewriter

My father typed all his correspondence on a manual (non-electric) typewriter. The ink on the typewriter ribbon was so worn out that the text on the paper was barely legible. Office supply stores stopped selling manual typewriter ribbon because electric typewriters were replacing manual typewriters. My father refused to buy an electric typewriter because he was satisfied with his manual.

When the company my father was working for replaced its typewriters with personal computers (PC), my father was concerned about what would happen if the computers broke down. “Nonsense,” his manager said. “Computers don’t break down.” Of course, those computers did break down and management didn’t have a backup plan on how to continue working.

You and I know that PCs can break down because the circuitry on the motherboard stops working. Sometimes it’s cheaper to buy a new PC than replace the motherboard. That’s why most PCs have a lifespan of three to five years—when the warranty expires, so does the PC. Nevertheless, many companies are reluctant to replace PCs on a regular basis because they are costly investment. Then again, so is sitting idle while the technicians at IT support try to determine what’s wrong with our PCs. If IT support has a replacement PC, then we are back to work the same day. If not, we wait patiently for management to approve the purchase of a new PC.

The lesson I learned about my father’s typewriter is that if we are to be dependent on technology for our livelihood, then we must keep pace with innovation. That means if we connect PCs to networks, then we must upgrade those networks before they reach capacity. If we rely on software applications to run our business, then we must ensure that we are running the latest software updates and security patches.  As the saying goes, “Failure is not an option.”

One day, I found my father’s typewriter in a closet. The ribbon was well worn, but still capable of creating a letter. His typewriter reminded me of a time when a manual typewriter was modern technology.

Talking Usability: Do They Have Your Computer for Ransom?

What would you do if you opened a Web page and your computer desktop displayed a warning that your PC was infected with 8000 viruses and to call Windows Help Desk support?

You might try to click away only to discover that your browser is locked. You might reboot your PC only to discover that the banner is still there. Out of desperation you call the Help Desk listed on the banner, the customer support technician promises to remove the virus for $300, and promises to run a virus scanner to remove the virus and update your security software—what a bargain, you think. You provide your credit card number, and the customer support technician tells you where on your PC to run a script and after a few minutes the banner is gone. You are so happy that you dance with joy. When it’s over, you contact the Better Business Bureau about this Windows Support company and discover that is it not accredited by Microsoft or Apple to provide Windows or Mac support.

What you have is called ransomware (a form of malware) and its variants, all of which begin by locking you out of your PC. The ransomware is often passed to the PC by clicking on an advertisement on a website or a link in an email.

What should you do if your PC is infected with ransomware? Do not panic and do not pay the ransom. Once the ransomware has control of your PC, chances are that most of the damage is done. Unless you are an expert, solicit the help of experts: Microsoft Windows Technical Support at 1-855-883-1117 or Apple Technical Support at 1-800-290-5067.

There’s a chance that an antivirus program could remove the ransomware, but in most cases, you might need to reinstall your operating system from the ground up to be safe.  The following are a few suggestions to correct the problem.

If you are running Windows, do the following:

  1. Disconnect from the Wi-Fi to isolate your PC from the Internet.
  2. Reboot your computer and hold down the F8 key. Your PC will display the Advanced Boot Options menu (F8 menu).
  3. Select Repair Your Computer and press Enter.
  4. Log on as a user; select your Windows account name. (If you don’t have a password set, leave it blank.)
  5. Once logged on, you will see a list of shortcuts to a few tools.
  6. Click System Restore to roll Windows back in time. The worse thing that happens is that you lose files that did not save or backed up.

If you are running Mac, do the following:

  1. Disconnect from the Wi-Fi to isolate your PC from the Internet.
  2. Quit Safari.
  3. Press and hold the Shift key and keep it pressed while launching Safari again.
  4. When Safari opens, release the Shift key. This action prevents Safari’s previously loaded pages from loading again upon launch.
  5. Open Safari’s Preferences… and select Extensions.
  6. Uninstall any Extensions that you are not certain you require by clicking the Uninstall button.

If this does not correct the problem, refer to https://discussions.apple.com/docs/DOC-8071 for advanced instructions.

How to protect yourself:

  • Update your computer’s antivirus software.
  • Use a pop-up blocker.
  • Turn-on the security settings of your browser.
  • Turn-on automated patches for your operating system and web browser.
  • Have strong passwords and do not use the same passwords for everything.

For more information about ransomware and how to prevent attacks: