Are there any guidelines on the play-off between forcing users to have complex passwords (longer, including numbers and special characters etc) - and the reduction in security if users therefore have to write down these passwords because they can't remember them ?
To clarify: what I'm thinking about here is where users may have their own preferred (and memorised) set of passwords, but get forced by sites to start making them longer; or adding a number, or sites which just refuse to accept the password unless the site itself deems it strong enough ( hello Google ). So users then have to think of other passwords that fit these particular criteria - which being non standard ones they are then more likely to write down.
So I guess the question is what do users actually do when confronted with a site which tries to force them to use passwords with particular formatting.
Answer
This quote brings it to the point:
Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
You should therefore take special care that passwords aren't restricted in length (I've come across quite a few websites where the maximum length was 8 characters!).
Forcing users to do anything is rarely a good idea. It might be better to allow all passwords, but display a "Password strength" value as direct feedback after they enter the password. You could calculate this strength based on length and/or special characters. The value could be represented by a colour, e.g. red for weak, orange for strong and green for very strong.
Personally, I don't like it when websites force me to choose a password that consists of various components (numbers, different cases, special characters). Most of the time these are the exact websites that receive a "Password reset request" the next time I visit them.
No comments:
Post a Comment