Why your password can’t have symbols—or be longer than 16 characters
by Casey Johnston @ Arstechnica
Password implementation and it’s effect on the user experience is something I’ve been following for a few years. Jakob Nielsen wrote a few articles on the subject that got me thinking, Stop Password Masking (2009) and Security and Human Factors (2000) . I followed up with an article about passwords and usability here. Anyway, the crux of the argument is that uber strong passwords don’t really improve security. In fact they may actually make the entire process less secure because humans aren’t good at remembering a dozen complex passwords. They’ll write them down which defeats the whole purpose. Add to that the fact that Brute Force attacks make up a small number of successful break ins compared with Phishing, insider attacks or other social engineering strategies.
The article above talks about why every website has different password requirements (another usability hit I might add) and also touches on the pros and cons of strong passwords. Basically, I still think I’m right.