Password Exhaustion

At what point is a password policy too strict?

When the user has to write the password on a post-it note to remember it. (Bam! There goes your security).

Password policies are designed to make it harder for bad people to get into a system, however they often make it harder on the user instead.

In IT security there is something called the Security, Functionality and Usability triangle.
The theory behind it is that the closer you get to one point, the farther you are from the other two. If You want high security, then you are sacrificing usability and functionality. If you want to focus on ease of use then you sacrifice security and functionality, and so on.

It's hard to find that balance of security and practicality. It's important to remember that you will never completely secure a system. All you can do is mitigate the risk, you will never be totally safe. You just need to find a level of risk that you are comfortable dealing with.

Within the last year or so I've started to despise strict password policies. I don't think they make the system any more secure and I believe they cause unneeded frustration.

I've become a fan of passphrases, they can be lengthy and still be easy to remember. Also they are just as secure as some of the stricter policies out there. (See XKCD comic above).

To me, if you make a password so strict that is has to be a certain amount of characters long, with special ones plus a number, are just narrowing down what the bad guys need to look for when trying to hack in.

Remember...we're trying to protect the systems from the bad guys...not ourselves.


Kersus's picture

A well written article. Thank you!

I sometimes have to go to reset the password to see their policies to remember what the password was. Did this one need two numbers? Was it 6 or 8 characters? Etc...

Yes!! I have to do that quite often now, and don't even get me started on the captchas...I feel like we're too focused on the security aspect and not enough on the functionality/ease of use. Even the best password policy is vulnerable, because humans are the weakest link in the security chain.