Highly Secure yet User-Friendly Passwords?!

samanime · February 8, 2012, 5:46pm

I thought this was relevant: http://www.smbc-comics.com/index.php?db=comics&id=2237#comic

CoastWeb · February 14, 2012, 4:27pm

Forget forcing character sets or schemes on users. A password strength meter combined with the backend to deny weak passwords will help a user choose a strong password. For example if they are entering an 8 character password, make them use a combination of upper and lower case and numbers, by rejecting passwords that don’t.

If they enter a really long password like “correct horse battery staple”, then allow them not to use special chars/numbers etc.

In doing so you will allow users to choose long secure passwords, without annoying them because they have to change all their e’s to 3’s to satisfy a number criteria that really only applies to making short passwords secure.

DoubleDee · February 14, 2012, 5:43pm

I agree that this approach is the best of both worlds.

When there is time, I hope to build my own “Password Strength Meter” so Users can choice the type/style of strong password that they most prefer.

(And I’ll have to further consult with Ralph and make sure there is a “Ralph-type” password scheme too…)

Debbie

samanime · February 14, 2012, 9:27pm

The one thing to keep in mind is this: with those password reminders, you may just have people adding random characters to get it to pass, but it may wind up being something they can’t remember and they constantly have to reset their password.

I would be sure to have verbiage to indicate what you recommend for them.

DoubleDee · February 14, 2012, 9:59pm

Duly noted!

Thanks,

Debbie

techmichelle · February 18, 2012, 9:52pm

Reading these comments takes me back. Sat in a lot of security meetings, briefings, and presentations. Passwords are only one part of security. Security in Depth was the term I heard a lot. Basically now min 8 characters is accepted. Depending on your system max 15/20/25 is normal. Make it too complex and people write the passwords down at their pc, because that is where they use them. Make it to simple and you get a lot of passwords can be easily broken… I have always found it easier to keystroke log, etc, never had to do the hash thing LOL. You would be surprised how many systems used to send passwords unencrypted.

The why should be asked, why are you asking for a password? I always have a bit of fun here, why ask for certain info? If its sensitive and you don’t need it don’t ask for it, is the best route. Its only when you start securing certain types of information that you start to question the need for more complex passwords.

Paraphrase is nice, I have found that without training it doesn’t work, also if you asking people to login every time they have left their computer, even 8 characters sucks.

Be reasonable and think of your clients.