By mitomac on

Greetings,

I can't figure this one out. More than a quarter of newly registered users at my site (www.pharmer.org) are failing to login. The email is sent. They comeback, try to login and get ' Sorry. Unrecognized username or password'. I've tested this extensively and I've never had a problem authenticating as a new user from either firefox or ie. I just can't believe that 25% of the people who register can't figure out how to cut and paste a password.

Is this failure rate typical? I've never maintained a site requiring authentication before, and maybe I've just over estimated the general public's ability to 'clicky clicky'.

Any thoughts would be appreciated.

mitomac

Comments

Steve Dondley’s picture

Steve Dondley commented

The password is the problem. It's horrendously long and it's mixed case. This spells disaster for normal people (non-geeks). Over and over again I see people getting the unrognized username/password error. And most people don't think to cut and paste the password out of the e-mail into the log in form.

One thing I've done is to hack the user.module file to make a more human readable password. It embeds a real word in the middle of some digits. It's not the most secure password but I'm not dealing with credit card or banking info.

But I'd also like to see a feature in Drupal that lets users create their own password while registering. That's probably the best solution.

mitomac’s picture

mitomac commented

Looking at the user.module, I see where the random password generated is set to be 10 characters. I was thinking of changing that to 6 characters. But now I am intriqued by your embedding a real word between a few digits.. How did you generate the word list? Are you using php to select a random word from the dictionary file? Would you mind sharing your code?

Thanks again,

mitomac

Steve Dondley’s picture

Steve Dondley commented

Here is the code:


function user_password($length = 10) {
  // This variable contains the list of allowable characters for the
  // password.  Note that the number 0 and the letter 'O' have been
  // removed to avoid confusion between the two.  The same is true
  // of 'I' and 1.
  $allowable_numbers = "23456789";

  // We see how many characters are in the allowable list:
  $len = strlen($allowable_numbers);

  // Seed the random number generator with the microtime stamp.
  mt_srand((double)microtime() * 1000000);

  // Declare the password as a blank string:
  $pass = '';
  $back = '3';
  // Open the words file and put into an array
  $array = file("name_of_file_here","r");

  $count = count($array);
  $front = mt_rand(2, 3);
  if ($front == 3) {
    $back = 2;
  }

  for ($i = 0; $i < $front; $i++) {
    $pass .= $allowable_numbers[mt_rand(0, $len - 1)];

  }

  $pass .= rtrim($array[mt_rand(0, $count - 1)]);

  for ($i = 0; $i < $back; $i++) {
    $pass .= $allowable_numbers[mt_rand(0, $len - 1)];
  }

  return $pass;
}
robertdouglass’s picture

robertdouglass commented

Another problem might be that users are copy and pasting a space at the end of the password.

- Robert Douglass

-----
www.robshouse.net
www.webs4.com

Steve Dondley’s picture

Steve Dondley commented

Just strip the whitespace from the input. I'd be surprised if Drupal doesn't already do this.

mcduarte2000’s picture

mcduarte2000 commented

The Drupal should really be changed regarding this. I'm having an even higher unsuccess rate. And the problem is the the users end up giving up after a while.

Miguel Duarte

Webmaster of: Lisbon Guide & Love Poems

das1’s picture

das1 commented

It would be better if the user were allowed to set their own password and a verification link was sent to their email address. They could click the link and bam! There account is 100% active. No copy paste required and it Just Makes Sense to have the user make their own password right away.

--David..

carlmcdade’s picture

carlmcdade commented

I only havethe code in ASP but there is a way of using random made up words in a password generator to make them more memorable like

hiditti12
gerepe487
jazada389
popihi123

More user friendly but still alphanumeric.
---------------------------
www.hivemindz.com (running PHP5)
www.fireorb.org (documentation and hacks)
__________________________
Carl McDade
Information Technology Consult
Team Macromedia