Password usability

10 Dec 2010 - 11:19am
5 years ago
7 replies
1081 reads
Jayson Elliot

There is a lot of research that I can find about security policies and usability when it comes to user passwords.

What I'm not able to find, however, is anything related to policies with FORBID special characters. We have a security specialist in IT who is insisting that the password policy must forbid special characters, because "special characters give users too many options to forget."

This sounds ludicrous on the face of it to me, because merely giving people the option to choose special characters is not the same thing as requiring them. If someone has a favorite password which contains an exclamation mark, for example, forcing them to use a different password could result in their:

A) Selecting a password that they can't remember
B) Giving up during registration and not completing the process.

Does anyone know of a white paper or research that addresses this issue?


10 Dec 2010 - 12:12pm

Is this even a problem if you allow a user to retrieve her password if she forgets? I'm a big fan of the strength-meters next to a password entry and the ability to use special characters. I was under the impression that special characters were the only way to make a password "strong." Since my favorite 2 or 3 passwords all have special characters, the sites that do not allow them are the ones that I can't remember my login for. Special chars should be the norm in my opinion.

10 Dec 2010 - 1:34pm

I don't think it is a good design decision to rely on a recovery use case to compensate for forcing users through a difficult process. How annoying would it be for me to have to recover my password every time I wanted to login to that service? Rather humorously, I usually have to recover my password on this site (a few minutes ago in fact) because I only infrequently login and can't remember what my user name is (a problem I spoke to in an earlier post on this thread).

As a consultant, I have a myriad of logins and passwords, since I often obtain access to testing and production systems for multiple clients. having an easy way to learn my password and/or my user name is really important for someone like me, however, I would prefer an easier method still. I have stopped wasting my time with several efforts now, but get annoyed when I am forced to think up a new password for the password recovery process.


10 Dec 2010 - 1:06pm

Hi everybody,

What are the best resources on creating robust taxonomies for a website? Best practices in creating a new taxonomy? From the library science, IA, and UX perspective.

Your advice is most appreciated!

Thank you,

10 Dec 2010 - 1:27pm

Oh my! What a thing for him to assume! I find, personally, that special characters actually help me to remember my password and to give it more strength than not using them. As many password requirements do not limit this, your colleague is actually potentially forcing your users to think of passwords that don't have those characters, so they have to remember what characters are NOT being used, when, if he left it alone, they'd only have to remember the characters they choose to remember. As it should be.

In fact, any restriction to passwords, IMHO cause challenges. Short ones, other mandatory length requirements, ones that insist on a number or special character, changing the password frequently; these are all things that force users to have such a range of passwords they can't remember. Most people I know, have one or two words or structures they use, and from there generate their passwords based on limitations.If your users use the @ symbol or ! as part of that, you are going to mess them up.

So many times have  I visited a desk in an office with a password post-it on the computer monitor, making things too hard completely defeats the purpose.

On a second note, why don't we start getting consistent with using an email address/password combination for logins, rather than the user name thing. Most of the time, I can't remember what my user name is. We should do the extra work and allow people to indicate what "display" name is going to show for comments etc...and just use the email address as the user name. That would go a long way to simplifying this whole login business.

You will probably get so many posts on this forum that you can show your colleague, you wont' need to show him a study. Regardless, this decision should be your call as the experience designer. Pull rank if you have to on this one.


10 Dec 2010 - 4:42pm
Dana Chisnell

I've looked at research about authentication and usability pretty deeply over the last year, and I unfortunately haven't come across anything exactly like what you're looking for. But there is pleny of research out there that basically says, IT people are making uninformed, emotional and reactive decisions about password policies and it hurts users. Along those lines, you might be interested in these papers:

See "The True Cost of Unusable Password Policies: Password Use in the Wild" by Philip Inglesant & M. Angela Sasse, available here:

This might also be interesting to you. This research talks about users' decisions about just how far they're going to go to comply with security policies and what tradeoffs they make:

Dinei Florencio and Cormac Herley from Microsoft reviewed security policies from web sites and theorized about what motivated them.

Good luck. Let us know how it turns out.

13 Dec 2010 - 12:53pm

Just as FYI, not sure if any of you are Bank of America user on their online banking system.  But they do not allow special characters in their password policy.  I couldn't use ! as part of my password.  


13 Dec 2010 - 2:06pm

I wonder if that became a design constraint due to a technical constraint, because of a design decision further up the technology ladder. :)

-Mike C.

On Dec 13, 2010, at 10:59 AM, r32soul wrote:

> Just as FYI, not sure if any of you are Bank of America user on their online banking system. But they do not allow special characters in their password policy. I couldn't use ! as part of my password.
> >
> >

Syndicate content Get the feed