[Sigia-l] Password usability
Andrew Boyd
facibus at gmail.com
Fri Dec 10 15:04:48 EST 2010
On Sat, Dec 11, 2010 at 4:01 AM, Jayson Elliot <jayson.elliot at gmail.com> wrote:
> There is a lot of research that I can find about security policies and
> usability when it comes to user passwords.
>
> What I'm not able to find, however, is anything related to policies with
> FORBID special characters. We have a security specialist in IT who is
> insisting that the password policy must forbid special characters, because
> "special characters give users too many options to forget."
>
> This sounds ludicrous on the face of it to me, because merely giving people
> the option to choose special characters is not the same thing as requiring
> them. If someone has a favorite password which contains an exclamation mark,
> for example, forcing them to use a different password could result in their:
> A) Selecting a password that they can't remember
> or
> B) Giving up during registration and not completing the process.
>
> Does anyone know of a white paper or research that addresses this issue?
Jayson,
having worked both sides of the information security fence, I'd be
spinning this one around and asking your IT security colleague to
supply some research. So many organisations get into trouble because
of baseless IT security voodoo - if I had a dollar for every time I've
heard "we need CAPTCHA because it prevents DoS attacks" I'd be richer.
Needful security is, well, needed - and everything else that prevents
customer/client/staff task execution just needlessly threatens the
bottom line.
Cheers, Andrew
--
---
Andrew Boyd
http://uxbookclub.org -- connect, read, discuss
More information about the Sigia-l
mailing list