I have read the prior replies and looked at the recommended links with
interest and have learned a lot - thanks, all!
I would like to suggest that a user could select a relatively strong
password and write down something close to the password. They would
then need to remember only what the
I really don't think that's a good idea. I've never tested it, but my
gut says that:
1) if you use it so seldom you don't remember it, then you use it so
seldom you don't remember the modification (which of those variations
you proposed did I use? I should write it down)
2) if you use
Lost in this discussion of password strength is, how do we handle
multiple failed logins, forgotten passwords, and compromised passwords?
If your overall design (is this where we get into service design?) is
put together correctly, a compromised password (or an attack on an
account) isn't
Sounds like encryption http://en.wikipedia.org/wiki/Password_cracking to
me like wep http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy on my
wireless network at home.
The systems in place have trained the way I choose passwords. I have a
standardized way. I can recall 4 systems at the moment,
Katie Albers wrote:
This is true. Which is why password fields that you *can't* make strong
are evil. All password fields should at the very least *accept* all
typeable characters. To go to the trouble of entering a strong password
and then be told that you can only use upper and lower case
Just some anectodal stuff from me:
You could mean Credit Card Companies would encourage strong passwords, but I
have encountered cases, where I couldn't enter my randomly generated
password, which was 20-32 characters long, as the maximum length was 16 :-)
I think a lot of password strength
Hi Allan,
An approach could be, to advise users about choosing a strong
password, rather than forcing certain requirements.
In combination with this advise, you can show users the password
strength (poor, average, strong) of the password they are creating.
(I've an working example available if
I thoroughly dislike the ever-more bizarre combinations of
alphanumerics that are being required for passwords, even for sites
as simple as a forum. I found the article below after getting in a
heated discussion about the matter with the IT department of a
particular site. (It was the first hit on
The easiest way to deal with passwords is to allow them to be simple
so the user can remember them, and then apply other techniques - like
limit the number of successive attempts (to 3 or something), protect
the login with captcha etc. Complex passwords and/or forcing changes
regularly will just
We discussed this very issue in my department recently.
We decided that it's a balance between security and usability. What
typical user wants to have a password 10chars long with a capital
and a special character? A short list:
1. Someone going to their banking site
2. Someone accessing tax
Alan Cox
Does anyone have any evidence, anecdotal or formal,
about how different password strength requirements
impact the usability of a web-based application?
snip
Our security purists here want really strong passwords
snip
At its heart, a request for a password is just another
You don't mention whether this is for an internal or external site - how
much choice do the users have to use an alternative with simpler
registration requirements?
If it is for an external site, have you considered using OpenID (
http://en.wikipedia.org/wiki/Openid)?
Francis.
--
Tigers walk
The more complex the password rules are the more likely people are to
get it wrong. As Yohan says some sort of visual feedback seems to be
the best solution to me, with a link to tips if the user is struggling
to understand your rules. The other think you may wish to consider is
how important is
The article on baekdal.com referred to by Michael is really worth
reading!
Here is another example of feedback on password strength
http://www.ylab.nl/lab/password/
- Yohan
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
Alan Cox wrote:
Does anyone have any evidence, anecdotal or formal, about how
different password strength requirements impact the usability of a
web-based application?
Tangental, but here's a great article by Bruce Scheneier on Choosing
Secure Passwords based on how people actually attack
Gentlefolk,
J Eric Townsend wrote:
I think that your security purists (love that phrase) need to define
the value of what you're protecting and determine an appropriate set
of password rules. Are you protecting my checking account or my
preferences at wunderground.com?
In my (and others)
One thing I'd like to reiterate and emphasize here is:
In my (and others) experience, people tend not to differentiate
between high and low value assets.
For most people, one password is hard enough: multiple passwords are
impossible to remember.
Consequently, rather than use separate
I completely agree with Bruce here. Complex passwords and regular
expirations forces the user to record the password elsewhere which is
much greatest risk. Quite a few websites have sprung up who provide
password saving functionality, but I wouldnt be able to sleep
peacefully knowing that all my
Does anyone have any evidence, anecdotal or formal, about how
different password strength requirements impact the usability of a
web-based application?
There's a spectrum of different strength requirements. I've seen
sites that don't have any requirements, other than the password
exists. I've
19 matches
Mail list logo
