Security vs. Usability - Hitachi ID Password ManagerThe human factor is important when formulating password policies and designing authentication processes.
Security is only as good as the practices of the users who implement it. The best technical measures can easily be defeated by users who cannot or will not conform to policy. When confronted by too many passwords, users simply write them down. If passwords are too complex, again users will write them down.
On the other hand, if users are allowed to pick trivial passwords, or to never change their passwords, then they will pick trivial, unchanging passwords. In this case, users will comply with policy, but systems will nonetheless be insecure.
There is a spectrum of security policies that ranges from extremely user friendly but technically insecure on one end, and very difficult to use, but technically secure at the other. For example, a very technically secure policy might require 20-character passwords, changing once a week, consisting of a sequence of randomly generated symbols. Clearly users will not cope well. On the other hand, a very user friendly password policy might allow any dictionary word as a password, and never require passwords to be changed. In this case, systems can be compromised directly, regardless of user compliance with policy.
The best achievable security, where both user behavior and system vulnerabilities are considered, is achieved in the middle of this spectrum. That is, passwords must be sufficiently complex so that intruders cannot readily crack them, but must be simple enough that users will be able to remember them.
Password management automation can help to achieve this balance. In particular, password synchronization, a helpful user interface and plenty of advance warning can help users to manage a single, reasonably secure, regularly changing password that applies to all of their login accounts. Hitachi ID Systems experience in large deployments is that users can readily remember a single, strong, changing passwords, but that they do not cope well with multiple (e.g., 3 or more) passwords, or passwords that change too frequently (e.g., more than once a month).