Get The User Experience Right on Password Policy

Two of my current technical passions are security and user experience. Usually these two efforts are driven and delivered by teams with very different visions and passions and consequently little in the way of collaboration takes place, which based on my experience today, is much needed.

Password Expiration

This morning I was presented with a regular annoyance from the last millennium, back when everyone used ‘password’ as their actual password the only way to get them to change their ways was to expire their passwords. This became a widely accepted best policy, which of course back then it was.

Other sensible policies have since come in including complexity requirements which has made easy to guess or brute force passwords unusable.   The password expiration policy is just a sign that you haven’t made your complexity requirements strong enough to survive a brute force attack. Not only that, you haven’t understood how those attacks work, changing one password for another of the same complexity makes no significantly statistical difference to the chances of it being cracked. Consequently all you have done is annoy your user into having to think of, and remember, another password.

How to make a strong password.

The key to making a strong password is thinking of something that is easy for a human to remember but hard for a computer to ‘guess’. One of the best ways to accomplish this is to have two widely disconnected words interspersed with non-alphanumeric characters e.g.


Because I have a brain that is designed to treat new and usual things with quite a bit of respect and effort to store, imagining a Trombone snorkeling in a sea of dollar bills with a winking smiley face will create a whole bunch of new neural networks and it will be very difficult to forget. A computer algorithm however will take a very long time to iterate enough combinations to ‘guess’ a password like that, and typically won’t even bother to waste resources when their are plenty of easier ones to focus on.

Now that I have made a real effort to invent a super secure password why would you want to expire it every 6 weeks.  If your that paranoid enforce an even tougher complexity.

Being a typical human I get tired of this and discover a strategy that meets all the complexity requirements and satisfies the darn computers insistence that I keep changing my password – I add a number to the end.


Now I can keep my complex password and simply increase the number until retina scanning becomes everyday technology. Man and Computer both happy.

Trust my phone to spoil the party.

Now that the system forced me to change my password I have a bunch of other places I need to go and also change the password to the new secret+number. Probably the most important place is my mobile phone. My mobile has the unusual privilege of accessing a whole bunch of private and work related information as well as being very easy to loose or misplace. Now if someone else gets hold of my phone, changing my password will go along way to stop them from doing anything that useful. Except my phone presents a user experience that has an unwanted and unexpected effect. Although it hides my password, it allows me to delete just one character, then add another without eliminating the hidden characters, making it very easy to change ********0 to ********1. The UI makes all that effort to invent a complex password worth almost nothing, simply changing the last character from 0-9 will give me a statistically high chance of guess the password without having to imagine bizarre swimming instruments. Its obvious when you see it, and would have long since been solved if some of the security folks occasionally went to a UX meeting and vice-versa