I’ll admit it, passwords are a sore spot with me.  I hate making them up.  I hate remembering them.  One of my criteria for deciding whether or not to get new software is if it is worth another password.

Password Creation: 3 Ways To Make It Easier by Katie Sherwin is a “must read” for anyone doing requirements for password creation. Her guidelines include:

1. Show the Rules.  True experience–I was trying to create a password for a system and thought I was following the rules but it kept rejecting the password. I had the help desk on the phone and they couldn’t figure out what rule I was breaking either.  I was using my name in the password—I finally asked the help desk if “can’t include name” was an undocumented rule and they said “yes, it is”.  Pretty bad when even the help desk can’t keep up with the rules.
2. Allow the User to See the Password, if they wish.  Sherwin’s points out that most systems force the user to remember, without seeing, a weird string of characters they’re making up to meet the system’s rules. Seeing the password will help them remember it.
3. Show Strength Meters.  Since I’d never thought of a strength meter as a “carrot” in the password creation process, Sherwin’s points around them being motivating and providing satisfaction were enlightening.

I was interested in Sherwin’s reference to “…research that shows that standard guidelines for complex passwords are more vulnerable than other types…” because “…users who do create complex passwords, often store them in unsafe places (on post-its, in a drawer, under the keyboard, or in a file on their computer), therefore making them easy to find.”  I’ve long felt that complex passwords had this security hole, so it was interesting to see a study which confirmed it.