Monday, September 24, 2018

security - Forcing users to use a particular pattern for passwords


Many websites, specially government ones, enforce users to use a password which conforms to particular criteria. For example: use between 8-13 characters with at-least one integer and one capital letter and sometimes a special character. I have found such password patterns are rather hard to follow, and if you do it becomes extremely difficult to remember.



My Question is: Considering the security aspects vs memorizing burden to remember a unique password pattern for a site, it is worth to enforce password pattern restrictions upon user?



Answer



Every constraint you add to a password pattern, the more cognitive load you add to a user. And constrains can be good to make a password secure. But how secure is a password that user constantly forget and as a consequence hit the “forgot password” workflow yet again. Further you minimize the option for users to use there already memorized secure password on this site as well. Something that at least 60% of users do.



Security issues are particularly difficult to deal with because they’re an annoyance. We just want to let people get at the great tool we’ve created, but instead we have to build barriers between the user and the application. Users must prove their identities. We can’t trust any data they provide unless it’s been thoroughly sanitized.


Unfortunately, this is reality. A great deal of web traffic really is malicious, and sensitive data gets stolen. Typically, we ask users to supply a username (often an e-mail address) along with a password to sign in to an application. The username identifies the person, while the password proves that the person submitting the username is indeed the one who created the account. That’s the theory, based on two assumptions:




  1. A password will never be visible outside the mind of the person who created it.





  2. Both the username and password can be recalled from memory when needed.





Reference: The problem with passwords



Try to find the most common password around making users chose their own familiar password. You need (1) a minimum length of eight characters, (2) upper case and lower case letter, (3) a number or a special character like !@#£¤$. This pattern is fairly secure, but is questioned among security experts and usability experts. If you don’t trust my pattern make the judgment on the scale of User Experience vs. Security and you’ll be fine.


But never ever do this:


enter image description here



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

technique - How credible is wikipedia?

I understand that this question relates more to wikipedia than it does writing but... If I was going to use wikipedia for a source for a res...