Here’s something that’s a little bugbear of mine: Passwords.
Now, we all have a way of remembering our passwords for all the hundreds of different apps and systems that we use on a daily basis – current thinking is that, with so many to remember, we might as well just write them down on a piece of paper and keep that somewhere safe. Even so, most people like to keep their passwords in their head where you can be sure that no-one will steal it. So, my problem is this: Why do we force users to create passwords that they won’t be able to remember?
Most users will have a favourite method for generating their own passwords (pets names, street names, birth dates, favourite quotes, etc) but not all passworded systems will accept these. A number I have encountered recently wanted me to make sure that I included both lower and uppercase letters, numbers and punctuation! …and they expected me to remember the resulting string of nonsense!
As designers and developers we should be making our systems as secure as possible – even from insider attacks – but we shouldn’t be forcing our users to do the same with their accounts: if they want to use insecure passwords then we need to let them. There’s no real point to creating complex passwords if they’re going to be forgotten or lost in some other way – that’s just making life difficult for the user.
Sure, we need to encourage them to use the most secure password they can but, if you force them to include or omit numbers and punctuation then you’re only going to disrupt their memory process and make it harder for them to remember what it was they typed two minutes ago.