A SitePoint article suggests we shouldn’t try to save users from themselves by enforcing password restrictions:
Should You Enforce Password Restrictions?
I dislike password restrictions. Passwords may be a necessarily evil, but they’re more repulsive when a perfectly reasonable key is rejected.
I can understand banks and Government departments don’t want novices choosing “password” as their secret key, but are users so naive? (OK, don’t answer that.) Actually, “password” could be a reasonable option: do hackers bother trying it?
— Craig Buckler, Should You Enforce Password Restrictions?
Um… is this a serious question?
Yes we still need password restrictions. While I hate to take the pessimistic approach here, on average, users are dumb. I mean, really really dumb. You know why “password” is such a common password? Because USERS ARE DUMB. Most people have no true concept of what a “secure” password really means.
A secure password is one that’s hard to guess (by either humans or computers). The more complicated the string of characters becomes, the harder it becomes to guess. That’s why password “restrictions” like the requirement to have both letters and digits, or making the password case-sensitive, or requiring a non-alphanumeric symbol, are (in general) for your own good.
Now, while it may not be all that important for you to have an ultra-secure password for your ICanHazCheezburger account, it’s not uncommon for people to use the exact same password for every site they need a password for. So someone guesses your password once, and suddenly BAM they have access to your banking account, your credit card site, etc. Why? (Hint: users are dumb.)
Now of course we can’t force users to use different passwords on different sites. But we can try to help them at least pick passwords that won’t be guessed by the first ne’er-do-well that comes along.
Tom, the whole “users are dumb” stance is a little frightening. We understand why there’s a level of complexity needed for passwords, but users don’t.
Part of this may be because we’re crafting crappy experiences around EXPLAINING to them why the complexity is needed. I’d say that’s the fault of us, not them. WE’RE dumb. Perhaps. Or acting stupidly.
And I can FULLY understand why most people don’t want a million unique passwords floating around – it’s just not practical. There’s only so much a person can keep in their minds as they go about their days.
Think of the broader context of this issue. How can WE work to educate our users, explain the nuances of why certain things are needed? It’s dangerous to jump in and call them dumb without assessing how we’re contributing to their “stupidity”.
You’re probably right, my stance is a little harsh. I tend toward a slightly more pessimistic view of things sometimes. Based on some experience and seeing what people do and choose, it’s hard to shake that concept. The fact that people don’t get why “password” is a bad password just boggles my mind.
And I agree that it’s partly our fault as the designers of their web experiences. Perhaps we’ve been doing a bad job explaining these concepts to them. But after years of relatively widespread internet use, for people not to understand things like “don’t write your username and password on a sticky note on your monitor” (I’ve seen this happen WAY too often), it’s just bizarre.
But to the point of the article I linked, while we work to (re)educate users on the point of strong passwords, we can’t just drop the restrictions and hope they figure it out quickly. We most certainly need to keep password restrictions in place. As the stewards of their online experience and identity, it’s partly our responsibility to keep them safe – and that means keeping them safe from themselves as well. If you want your password to be “password,” that’s terrific but I can’t in good conscience let you do that.