Users are never told that a PIN is a password is a passphrase. So, they believe that a "PIN" is not a "password", and a "password" is not a "passphrase". So they think "I have to type my password to get access to this", not "the device is asking for my PIN to do what it's been asked to do."
Users aren't used to different parts of their computer system asking for different passwords/passphrases/etc -- anything that comes up on the screen was generated by the main computer. They understand that one computer does not necessarily use the same password as any other one, and they might even understand they should have different passwords whereever they can. But they're not used to their computer not being able to access different parts of itself. Maybe a change in how things are worded would be useful... [[The keystore which contains the certificate "yourcertificate" needs to verify that you are authorized to use it. This is typically done by entering the PIN or password that you used to secure it. The device "devicename" requires that you enter your authentication code in order to use the certificate "yourcertificate" to "SSL authenticate to (host)|sign this email|whatever it needs access for". If you wish to perform this action, enter your authentication code. If you do not wish to perform this action, press cancel.]] This one adds another term to the mix: "authentication code". It also suggests features that are not present (the ability to separate the use of an unlocked token into different types of usage, instead of simply unlocking the use of it for any type of usage). I'm not all that happy with it -- any better suggestions? -Kyle H On Sat, Jul 4, 2009 at 2:11 PM, Nelson B Bolyard<nel...@bolyard.me> wrote: > Martin, I want to read your full message and respond fully later this > weekend, but right now I just want to try to clarify a couple things. > >>>> FYI, to make sense to users of eID cards currently one has to embed >>>> the word PIN into the token description as well, so that the prompt >>>> that Firefox displays would make sense: "Please enter password for: >>>> MARTIN PALJAK (PIN1)" GUI hints would be useful... >>> >>> Please elaborate. >> >> Firefox displays a "Please enter password for ..." dialog, which is >> ambiguous for casual users who need to be said very clearly when they >> need to enter the PIN of 4 or more digits. > > The dialog says "Please enter password for <token name>". Is that > ambiguous? Does the user have multiple tokens with the same name? > > Does the single token support multiple different passwords? > (And if so, how does changing the token name help the problem?) > >> A similar problem exists on Safari/Mac OS X, where the unchangeable >> keychain GUI asks for "enter your password for keychain "yourcard"" >> and people have been typing they login password over and over until >> the card gets locked... Even "enter your password for keychain >> "yourcard (PIN1)"" does not help - some people still try different >> passwords. > > So, I gather the problem is really that people find that having more than > one password to remember is unmanageable. They cannot (or simply do not > make the effort to) distinguish which password is being requested, and so > they enter the wrong one, repeatedly, even though the prompt tells them > enough that they can successfully choose the right password, if they would > make the effort. Right? > > This is a fundamental problem with passwords and people's memories, not > peculiar to Firefox (as you seem to acknowledge). -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
