Should You Enforce Password Restrictions?
I dislike password restrictions. Passwords may be a necessarily evil, but they’re more repulsive when a perfectly reasonable key is rejected. We’ve all seen “errors” such as:
- Your password is too short.
- Your password must contain letters and numbers only.
- Your password must be between 8 and 10 characters, use letters with at least one in uppercase, and have between one and four numbers. Please close your eyes, face north and recite Shakespeare while typing it.
Then, after you’ve spent 3 hours devising a reasonable password which adheres to the rules, you’re forced to change it again 7 days later.
I can understand banks and Government departments don’t want novices choosing “password” as their secret key, but are users so naive? (OK, don’t answer that.) Actually, “password” could be a reasonable option: do hackers bother trying it? One of the best passwords I ever defined had zero characters — no one ever attempted to enter nothing! (Just to be absolutely clear, this is an anecdote based on real attempts to access a non-essential offline server — I certainly don’t recommend you use blank passwords and few systems would allow it anyway.)
Does your Twitter client, photo gallery or blog comments form really require a password restriction? There are a number of issues with the approach:
- It’s an irritation for users — especially those who understand the security implications.
- Strict rules provide hackers with a template — they know not to bother trying passwords which are less than 8 characters, more than 12, have no numbers, etc.
- The rules make passwords far more difficult to remember — especially if you’re forced to change them regularly. Many users will simply write it down on a post-it note and stick it to their screen.
- If you specify what constitutes a “good” password, does it mean you’re partly responsible when a user’s account is compromised?
In my opinion, users should be allowed to choose whatever password they want. You can show a warning message when an easily-broken password is entered but, if they want the letter ‘p’, why not let them use it?
If you can’t trust users to enter a decent password, don’t let them choose one: create a random string and post it to them via email or snail mail.
Do you use password restrictions on your system? Has it been more or less successful than no restrictions whatsoever?