How many web passwords do you use a day? How many user names do you have? When you consider the number of sites requiring a login, the number of different usernames applied to those sites, and the various password and security requirements that differ between sites, it’s no wonder that the most common user password is “12345.”
We want to access our bank statements, watch Netflix, and view our sister’s vacation pictures easily and quickly. Why then do some sites require a password with a number, a special character, and a non-dictionary word to access information? Why are we required to provide the name of our first pet, the first car we bought, or the name of our homecoming queen from high school to login to a simple site, while other web sites with more secure information ask only for a six-character password?
On the surface, security measures are in place to shield us from hackers and software that can detect our key strokes and determine our passwords. We need to protect ourselves from identity theft and fraud. But how much of a risk are we really posed? Why is it that I can check my bank account balance without the use of the shift key, but in order to view the due date of my library book I have to remember a string of characters that phonetically sounds out my mother’s maiden name? (Ospalik = 05pA1iK)
The Unusual Suspects
A recent study conducted by Dinei Florencio and Cormac Herley demonstrated that the level of security restrictions surrounding certain websites doesn’t come from the sensitive or personal nature of the information stored on that site. The site’s size, the number of users, the importance of the information, and the occurrence of security breaches has little to do with the password requirements of the site. Instead, a higher correlation was found between password strength and whether the site generates revenue from ad sales and whether the site has strong competitors.
The major predictors of whether a site will have high security measures are whether the site advertises and whether the user has a choice in using the site.
Florencio and Herley found that of the 75 websites they audited, governmental and educational institutions required the highest degree of security. This is surprising considering that sites like Paypal, Amazon and Fidelity do not require users to follow as strict password rules as students at the University of Florida or users of the USPS website.
The Only Game in Town
When we take into account the fact that most government and academic websites don’t advertise and don’t often compete with other websites for users, their cumbersome password requirements make sense. Amazon and Paypal rely on a solid user experience to bring back customers and advertisers alike. If a password requirement is too imposing, the user is less likely to remember it, less likely to have a smooth login process, which will negatively affect their online experience, and therefore, less likely to return to the site.
However, government agencies (including retirement systems), have no reason to compete with other websites for users because citizens have to use the services provided by their state. For example (and not as a commentary on either of the following websites), a resident of New York cannot use the Connecticut DMV website. Therefore, the users will continue to return to the New York DMV site, regardless of what the user experience is like. Likewise, public sector employees do not have a choice in which retirement system they are placed.
Likewise, a college student has no choice in how to access their grades, course information or lecture notes because the university offers only one website. A student will not likely select a college based on the type of online experience offered by the university, so students are locked into using the site until they graduate. There is no incentive to provide a superior user experience when the institution is (sometimes quite literally) the only game in town.
Additionally, neither government sites nor academic sites typically advertise, meaning they have no incentive to stay competitive in the market place to generate site traffic and attract advertisers. Public organizations seemingly have nothing to lose if they fail to meet common usability practices, except for their reputation and user satisfaction. However, the support costs of enforcing strict security requirements are often ignored and underestimated.
Finding a Compromise
The best way to safeguard user’s information and provide a top-notch user experience is to lock users out of their accounts for 24 hours after five login attempts and block the 20 most common passwords. Specifically, it would take a hacker 100 years to break into a single user’s account if they are locked out of the account for 24 hours after five failed attempts. Similarly, making the most commonly used passwords unavailable limits the risk of a security breach. Yet another option is to provide a widget for users to gauge the relative strength of their password, which reminds users of best practices without imposing restrictions.
Why it Matters
Even if public sector and academic websites have little to lose in the way of money, the poor and often frustrating user experience eventually alienates and annoys users. From a public relations perspective, offering users a solid online experience is a surefire way to improve the image of the organization. With clear, simple, and easy to follow password guidelines, users can begin their online experience on a positive note, instead of trying and failing to remember a complex password.
Although there are still security risks involved in allowing weak password requirements, the greater risk is in losing the engagement of your user base. Perhaps Florencio and Herley said it best: “sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability.”