Make our password hint progressive

[ryanfeeley]

Currently the only password advice we give registering users is "Must be at least 8 characters". This is inadequate the users who plan to sync their browsing data, including passwords, so we should discuss making improvements to this experience.

We currently run a Bloom filter to gauge password complexity, but do not expose it in the interface.

What if we changed our our hint (i.e. "Must be at least 8 characters") with every keystroke, until the password was of adequate strength? We could also use this as an opportunity to increase the understanding of how sync works.

Examples on the web:

• https://howsecureismypassword.net/
• http://www.trypap.com/

And what 1Password does:

[TDA]

+1 to this. I am willing to do take this up :)

[ryanfeeley]

Some information we might want to get across:

• 8 characters are required to create an account
• A strong password is recommended if you plan to sync passwords
• A short phrase is usually a strong password – it is easy to type and also remember
• If you reset your password, you will lose any Sync data that is not on one of your devices
• Our Sync servers are designed as go-between your devices, not a standalone backup

[Verdi]

I like this idea. If the text changed with each keystroke, the default prompt could be something that lets people know that this password protects all the passwords they've saved in Firefox.

[ryanfeeley]

Would be interesting to preface every line with "This password"…

[rfk]

I'm broadly 👍 to this idea, and I wonder if we can pare it right down to a minimal version to try it out quickly in practice. What if a first version of this just had a handful of the most important states:

• Default: "Pick a strong password, this is used to encrypt all your browser data" or whatever wordsmithery we can come up with for the initial prompt
• When they start typing, transition to "Must be at least 8 characters"
• When they exceed that limit, check against the list of common passwords and show "That's a very common password, choose something more unique"

Then if we like it and it seems to be valuable, we can iterate by adding additional checks and messaging.

[TDA]

I am very much inclined towards the approach @rfk specifies. We should get it running to a minimal version before we decide to add more functionality.
If we get to know that the basic version is useful, we could then go ahead and even test out the password playground, by letting people type something and generate a password from that.

[ryanfeeley]

Some wordsmithed copy (I'll get @MozMatej to sanity check it)

Default (focused, empty):

• A strong, unique password will keep your Firefox data safe from prying eyes. More info.

With characters entered:

• 8 characters minimum, but longer if using Sync for passwords. More info.

With a weak password:

• That password is overly common and not recommended; please choose something more unique. More info.

[vladikoff]

Needs feature doc

[ryanfeeley]

Assigned to myself for feature doc.

[vladikoff]

👍

[ryanfeeley]

Also realizing that we don't want people to include local attackers with "prying eyes". Damn, this is going to be hard.

[ryanfeeley]

The tricky thing will be to be compatible with our signup.signin flow.

[rfk]

It's not obvious from the comment history here - what is this currently blocked on?

[TDA]

@rfk
We need the link for More info

[rfk]

From https://github.com/mozilla/fxa/pull/150/files#diff-c00b54226abc4785bd4d2f483d4e24b1R54 I see the following note:

"More info" will link to a modal dialog containing concise instructions on creating a strong password based on [this SUMO article](https://support.mozilla.org/en-US/kb/create-secure-passwords-keep-your-identity-safe)

Which suggests we may actually have to host our own copy, not just an outgoing link.

Could we consider landing without the "more info" link and doing it as a separate follow-up bug? The new functionality seems to provide significant value to me even without the extra context. (We would, of course, have to practice the whole "not losing the follow-up bugs" thing that @ryanfeeley has noted in the past).

[ryanfeeley]

@rfk I think it's a constraint on mobile where the web views cannot link externally :(

[ryanfeeley]

I suggest we copy the contents from this page and present it on a page much like our Privacy Notice / Terms of Service pages.

Can we include the video?
We don't need the table of contents or any contents beyond this line: "Take a moment to think of a phrase that's meaningful to you. Use that phrase to create a secure password that you can customize for each website you visit."

[TDA]

So is this the ideal course of action:

• Create a new template with the contents of the SuMo article (without ToC and other stuff)
• Add this to existing routes.
• Link to this document using the More Info link.

Question: What should be the name of this document?
@shane-tomlinson @rfk

[rfk]

I really don't want to grow a clone of SUMO under our own URL space...but if there's no other way to show good messaging to mobile users, I guess we'll need to display it ourselves. How do we currently handle localization of the legal and terms pages, and can we do the same for this copy?

Paralleling https://accounts.firefox.com/legal/terms and https://accounts.firefox.com/legal/privacy, perhaps we can start a https://accounts.firefox.com/support namespace and put this copy into it at https://accounts.firefox.com/support/create-a-secure-password

@ryanfeeley do you think we need to say something about why the security of the password here is so important, i.e. something to explain the "longer if you're syncing passwords" part?

[TDA]

From mtg:
ship it without more info link, make the "More info " page a separate PR.