My newfound interest in usable security has led me to Richard M. Conlan's Password UI Study. His work-in-progress paper describes a really neat password hint widget, which he's implemented in Java:
- The control — this is the same old password / new password / confirm widget that you see on most sites and applications
- Progress bar — give some feedback on password quality with a progress bar
- Smiley face — the bigger the smile, the better the password
- Warning — Your password can be broken in 1 day/week/etc.
Of these, the smiley face is my favourite because it encourages the user. I find the warning, which opts to warn the user instead of encourage, a bit negative. The smiley is probably most appropriate in a web app where authentication is routine, and the user isn't protecting anything too valuable. The warning may be more appropriate in a banking/financial context where the user has a stake in his/her password strength.