While most of us understand and accept that there is a tradeoff between security and convenience, how and by whom is this tradeoff decided? Few would argue with getting a lot more security for a little inconvenience. But, if the decision-making process is obscure how can we be sure we’re not getting lots of inconvenience for little improvement in security? […] It is hard to tell whether security policies have the convenience-security tradeoff just right, or whether they are overshooting greatly and imposing considerable inconvenience for marginal benefit.
Our conclusions suggest that, at least in the case of passwords, exactly such an overshoot occurs. Some of the largest and most attacked sites on the web allow 6 character, [] lowercase passwords. By contrast, government and university sites generally have far stronger (and far less usable) policies. The reason we suggest lies not in greater security requirements, but in greater insulation from the consequences of poor usability. Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back. When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive. The watchers must be watched, not merely to ensure that they do not steal or cheat, but also to ensure that they do not decide to make their job a little easier at the cost of great inconvenience to everyone else.
–Dinei Florencio and Cormac Herley, Microsoft Research (June 2010); h/t Jared Sinclair.