The other day, when signing into a new site, I came across the tedious act of creating a new password. Despite using a password manager and having random passwords on my favorite sites, for other websites where I do not access where I have the password manager installed, I prefer to create passwords that are easy to memorize, but difficult to guess using brute force techniques.
“Please create an 8 character password with uppercase lowercase numbers and special characters” but … how am I going to memorize this? I’m on my mobile phone, where do I keep it? Are users really forced to suffer the tyranny of password creation? Where is the balance of usability vs security here? What is the point of still maintaining these kinds of password policies?
If we think about how memory works, it is much easier to remember phrases related to us than a word made up of numbers, letters, and symbols. If brute force is the problem, as long as the sentence is long enough we have nothing to fear. For example, that it is easier for you to memorize “m0sKit0- *” or “I-like-to-walk -in-the-afternoons-in-winter”. Which of the two do you think is safer?
I have always believed that users do not have to be security experts to feel safe on the Internet, just as I do not have to know how to build a car to drive it. There are guidelines and regulations to follow and we will learn for our own safety, but companies we should seek to facilitate the management of user passwords as much as possible.
Despite the multiple alternatives to fortify logins such as the multiple authentication factor (MFA) or the single sign on, if for whatever reason we cannot include this kind on login mechanisms on our website, at least let’s think about which option would be easier for the users in case of creating passwords without reducing their complexity.