Well, the reality of the stringent password policy issue is that people will find lazy workarounds unless they are invested in the liability. Meaning... if it is their credit card that will be used, they 'may' be concerned and motivated. I did quite a bit of ethnography on this and collected a gallery of images - sticky notes under keyboards, behind monitors, etc... the computer equivalent of putting the car keys in the visor. The company was in the business of offering a two factor authentication solution so we weren't particularly interested in solving the specific usability problem of passwords, but instead worked to solve the overarching problem with a hardware component. If I can help any further Meredith, just let me know.
Mark On Fri, Sep 19, 2008 at 1:38 PM, Meredith Noble <[EMAIL PROTECTED]> wrote: >> When I worked in this field, we used to explain that usability and >> security, at the extremes were two opposite ends of a continuum. >> Adding to one nearly always compromised the other. I know it is a bit >> simplistic, but it works as a quick explaination. > > Thanks, Mark. I am quite familiar with the usability-security continuum, > but I'm surprised as how few sites out there have concrete > recommendations on where the best place along the continuum is. I guess > it's still too controversial, but surely someone out there has some > opinions on what the best password policy is, trading off complexity / > "time to hack" and ability for users to remember. Perhaps, as you say, > they're all lurking in Forrester, which, sadly, I don't have access to! > > Another person replied to me privately with the following blog post: > http://www.baekdal.com/articles/usability/password-security-usability/ > > The author talks about how long it would take a hacker to break certain > passwords. It's easy to calculate how long brute force attacks might > take, but it gets scary when you look at dictionary attacks. > > I think my recommendation is going to be a weak-medium-strong entropy > indicator that takes dictionary words into account, plus restricting the > number of attempts the user can make within a time period. > > I am EXTREMELY worried about forcing high entropy on people though... so > that's where I start sighing. Sigh. > > Meredith > ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [EMAIL PROTECTED] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help
