One of my questions right now is whether or not to enforce the
password
complexity rule. It is enough to inform the user that their password
is
weak, and let them go about their business if they so desire? Or do we
force them to have a "strong" password that they may forget later?
Security at the expense of usability, or usability at the expense of
security?
Personally I hate it when I'm forced to include at minimum 8
characters,
one uppercase character, one lowercase character, a symbol, etc. My
worry is that if we enforce this (as the project charter currently
specifies!) that people will choose crazy passwords, forget them, and
have to make numerous password retrieval requests, thereby degrading
their experience on the site.
This is personal opinion but I feel that design needs to be as
flexible as possible unless there's a really good reason to do
otherwise. For example, if your site is related to banking. Even
Amazon, which stores credit cards, doesn't have a rigurous set of
password rules (but they do have other measures, such as requiring you
to enter the CC# again if you try to add a shipping address).
In that sense, I think it's better to inform than enforce.
Let the users know the strength of their password but don't force them
to any particular level.
kevin cheng • [EMAIL PROTECTED]
author of http://bit.ly/seewhatimean
work at http://raptr.com
cofounder of http://ok-cancel.com • http://offpanel.com
talks a lot at http://kevnull.com • http://twitter.com/kevnull
________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... [EMAIL PROTECTED]
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help