> If someone really wants to use their first name as their password that's up > to them. But, if they're using their first name because they can't think of > something better, that may be an area where we can help.
I think there are at least two more elements here. It's not just "I want to" versus "I can't think of anything better", though I'm sure there are users in those camps. For example: (a) Users don't necessarily consider that the password they're choosing affects the security of their data. (b) Users don't necessarily care much about the security of their data, particularly versus convenience. (c) Users don't often anticipate how their use of a service will grow, and start with something _appropriately_ weak-and-easy that rapidly becomes inappropriate. It's not as simple as "let them", because it's hard to distinguish between these cases through conventional setup flows. I think there are broadly two solutions here: 1. Try to somehow get users happy with entering a ton of entropy -- e.g., the "enter a sentence" approach. That can still fall down on mobile. 2. Avoid users having to enter passwords at all, somehow. Password manager + 2FA, as Monica points out. There's a chicken-and-egg problem there with first-time setup, of course. That both of these are challenging speaks to how difficult this situation is! _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
