Wednesday, May 23, 2007

Stupid Password UI experiences

Lets think through the following UI experience:

1) Log in with username and password

2) Your password has expired

3) Please enter your old password and your new password, re-enter you new password

Since we just entered the old password to get to this page, why demand it a second time?

Also why demand that users change their passwords at all? If you need anything more than low level security you should be using more than just a password. If you are guarding low risk assets you should not make unreasonable demands on the user.

Each time a user is asked to generate a new password the temptation to use the same password on every account with a time dependent prefix or suffix increases.

I seriously doubt that forcing users to change their passwords has any beneficial effect on security today.

No comments: