• Quote: Why are some password requirements insane?

    While most of us understand and accept that there is a tradeoff between security and convenience, how and by whom is this tradeoff decided? Few would argue with getting a lot more security for a little inconvenience. But, if the decision-making process is obscure how can we be sure we’re not getting lots of inconvenience for little improvement in security? […] It is hard to tell whether security policies have the convenience-security tradeoff just right, or whether they are overshooting greatly and imposing considerable inconvenience for marginal benefit.

    Our conclusions suggest that, at least in the case of passwords, exactly such an overshoot occurs. Some of the largest and most attacked sites on the web allow 6 character, [] lowercase passwords. By contrast, government and university sites generally have far stronger (and far less usable) policies. The reason we suggest lies not in greater security requirements, but in greater insulation from the consequences of poor usability. Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back. When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive. The watchers must be watched, not merely to ensure that they do not steal or cheat, but also to ensure that they do not decide to make their job a little easier at the cost of great inconvenience to everyone else.

    Dinei Florencio and Cormac Herley, Microsoft Research (June 2010); h/t Jared Sinclair.


    Comments closed
    • Passwords that are too complex get written down, often on a sticky on the computer (accessible to anyone who walks by, like your co-worker or college roommate) or in a file (potentially accessible to hackers).

      Or the password gets forgotten, triggering a reset for bank accounts. And then you need to pay attention to the security of your resets, or the inconvenience.

      • “Passwords that are too complex get written down…”


        I’d guess more likely “almost always.”

    • My personal password policy on sites that allow it is neatly encapsulated by the below comic:


      • This comic should be required reading for everyone doing personal security.

      • Yes, four random words are easy to remember. Then, multiply that times the 100 password protected web sites I use regularly (from news site registrations to shopping to banking), so I have 400 random words to remember and to associate with the correct site. I am incapable of that so I use a password management app.

    • I suspect that there’s a lot of erroneous accounting of the security benefits of these rules, as well. A typical user will adapt to whatever restrictions they impose in fairly predictable ways, so things like requiring numbers, capitals, special characters etc have extremely marginal benefits because users still won’t pick these passwords in a truly randomized way.

    • The requirement to use numbers and special characters bother me the most. 3 or 4 small words run together and separated by starting each word with an uppercase letter make passwords that are easy to remember and difficult to break.