When is a complex password necessary?
Yesterday, I was invited to join a web forum where I could chat with other professionals on web design and development. I signed up, and put in a simple password when asked, but was told to pick a "complex password". After putting in several possibilities (and being annoyingly rejected), I finally was allowed in. The very first thing I did was ask the Administrator to turn that function off.
In this crazy world of stolen identities, why would I ask for that? Especially with my larger experiences in the World Wide Web. The answer is that it wasn't necessary for a message forum to have it. You always have to think about what information you're handing to a site, and does it then garner the need for a complex password system.
Identity Theft is a reality
We've seen plenty of articles and even news reports about stolen identities, even large systems like Xbox and Playstation under attack from hackers. We've heard stories of people's lives ruined by hackers accessing their bank accounts and credit cards, able to literally run them up into massive debt outside of their control. We've also seen identity theft just for the sake of spreading malware, as anyone on Facebook might have encountered friends suddenly posting links about a girl caught by her father as she masturbated on a webcam, or a spider growing under a person's skin. People click on these links, end up filling something out without really wondering why, and now their Facebook account is being used to spread the virus.
Identity theft happens, and we're told by the experts how we should make complex passwords, change them often, and store them in a safe place. Unfortunately, inconvenience makes many a user not follow best practices, so they'll instead put in simple passwords so they can easily remember them, and thus continue the cycle.
Now if you're a bank, online store with an account system, financial service, insurance company, etc...I can totally agree with the idea of having such a complex system. Especially anywhere that I enter credit information or my Social Security Number is where I'd want the security. However, when it's a simple message board, social network site, free "fun" thing that doesn't involve any private information, then I don't see the need.
You have to think about the User Experience
If you're still a skeptic to my logic, think about it this way. Say you set up a website for Gundam mecha or even Barbie dolls. You urge kids and teens to sign up, set up a profile, and then create mechs or Barbies to post on Facebook or print and put up in your room. You're not requiring the users to enter in a mailing address, cell phone number, and you're not asking for any financial information.
So the user will probably give you a name, email address, and some demographic information like age, gender, interests, etc. Nothing really that would be detrimental if it went public. Now imagine a kid or adult had to come in and put an 8-character complex password every time they wanted to play with the site. How soon would it be until they get annoyed or think it's "too much trouble" and thus not come back?
Now you've lost customers. Maybe your goal was a cool back end that sent these users to a third-party that would sell them Gundam toys and Barbie toys, even custom "dressed" to the designs they make (and you get a piece of the action). How did that complex security help you, and was it necessary?
When you build some kind of online setup or service, how much security you put on should balance itself with how much information you're asking for out of the user. I don't have a problem using a simple password all over the internet for message boards and even some social network sites. Why? Because I haven't given anything to those sites that warrant a complex password that I'll end up forgetting. Some can say I should write them down or use a password storage system, but then in my book you're just making life more complicated than it should be.
If you're a user, be smart
Now I'm not trying to disparage the idea of having secure passwords, but I am simply saying you don't need a complex/strong password for everything. As a user you should be smart enough to know when one is needed and when it's not. Here's where I'd tell you to make sure you use a strong password:
- Your email client
- Your bank website
- Any Government-related websites where you set up accounts
- Any financial institutions other than your bank, like investment firms
- Online stores like Amazon.com, especially if you store credit information there
- Any site where you have to set up a profile and store credit/banking information
Where would you not need a complex password?
- Message boards
- Social Network sites (you shouldn't be handing them private information anyway)
- "Fun" sites where you set up a profile, but do not give private information
A complex password should not become a necessity for every profile-based website. Users in many cases should be allowed the choice to be secure or insecure at their own risk, and developers should really think about if they're asking for anything that warrants complexity versus the notion of making their service "too much trouble" for people to use.
What do you think? Should we use complex passwords anywhere and everywhere no matter what? Or just in some places?