Friday, February 03, 2012

Login password for websites

Internet websites require the user to register an ID and password to access an user account. To enhance security, they may require a strong password to be used, e.g. to exceed a certain length and to contain a mixture of numbers, small letters and capital letters. Some websites require the password to be changed at certain intervals and disallow the use of passwords that were used previously.

The designers of these security measures forget that most users have to handle several dozen passwords at various websites. If the passwords are changed and different passwords are used, it is difficult for the user to keep track of the passwords. They have to record the passwords somewhere, which actually increases the chance of these passwords being stolen and misused!

Here are some practical measures used by some websites:

  • They remind the user to change the password, but give the option to skip the change or for old password to be used again
  • They do not require the user to change the password, but require a second password for certain sensitive transactions.
The website designer should also consider if the website really needs to have enhanced security measures. If the information is not sensitive, there is no need to introduce complicated password structures. It is best to allow the user to decide on using a simple or strong password, rather than for the website designer to insist on a strong password.

 

1 comment:

  1. Heartily agree with Mr Tan.

    In the old days, this is called using your brains.
    Don't let the tail wag the dog.

    But nowadays, it's the Information Technology tail that wags the management dog.
    Driven by unthinking people who chant the mantra "Reduce the Cost to Serve Customers."

    I've always believed, if you want to reduce the cost to serve customers (as if this is really the mission of an organization);
    just close down the entire organization.
    No customers. No organization.
    Cost to serve = zero.

    I suspect the real reason of "reduce cost to serve" is because management had thrown too much unthinking money into the computerization & website black hole.
    And now is trying to justify the spending.

    ReplyDelete