Does anyone have any evidence, anecdotal or formal, about how different password strength requirements impact the usability of a web-based application?
There's a spectrum of different strength requirements. I've seen sites that don't have any requirements, other than the password exists. I've seen others that require the password to be at least 10 characters, with at least 1 lower case, 1 upper case, 1 digit, 1 "special" character (like #...@!), and then require the password to be updated regularly while preventing reuse of old passwords. Our security purists here want "really strong" passwords, though not as strong as my second example above. I'm looking to see if there's any knowledge out there about how different points on the strength-spectrum impact usability. Is there a watershed spot where if we make it more complicated than X, usability really suffers, but all points less complicated than X are equally easy? Thanks Alan ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [email protected] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help
