New web sign–on change password screen
Writing about web page https://websignon.warwick.ac.uk/origin/changepassword.htm
I've recently been working on a new system to allow easy, secure and informative passwords changes on the web.
At the moment if you are a main Warwick user, you can change your main ITS account password (from our NDS directory) via the managed desktop or on the web via the my.insite portal. In an effort to improve the usability and availability of password management, we decided to create a new single page that sits within the web sign–on project that would allow any user, not just central Warwick users to change their passwords.
We have a model whereby users that login to web sign–on can come from a variety of sources:
- Central NDS directory
- Warwick Alumni service ran externally
- WBS Alumni service
- WBS NDS directory
- External user database for Warwick related users
A user does not have to worry about which of these types of user they are, they just login and the system works out where they are from and authenticates them securely at that source. Each of these sources can now optionally incorporate a password change interface that we are plugging into.
In the first instance the page will only allow central NDS users to change their passwords, but over the coming weeks we will add in as many of the other sources as we can.
Changing a password is actually a pretty boring thing really, however, we've made it a bit more interesting by giving some nice visual feedback about the strength of your password so that you can judge how strong your password is and understand why we are not letting you have a password of "letmein".
The required password strength is probably going to be something people are going to take a little while to get used to as it is fairly strict. From the University approved new password policy:
4.1 Choice of passwords
- Be at least 8 characters long.
- Contain at least three of the following four types of character: letters in
lower, letters in upper case, numbers, and symbols (e.g. “£$%^&*).
- Be changed every six months for a new password (more often for
systems requiring greater security).
In the long run we hope that this will mean that the average password strength is going to go up and this will raise people's awareness of what makes a stronger password and why it is important.