Consider requiring strong passwords

[davidjennings]

At present it is possible to register with a weak password (e.g. all lower case letters). Are the risks and costs of malicious use sufficient to justify requiring strong passwords.

[ianibo]

Happy to take feedback for others on this.. Personally, I find this requirement a complete imposition.. I have a number of passwords that I use and I feel are sufficiently secure for the different levels of security I want. When an app makes me choose something other than what I would have I end up trying to remember something that isn't appropriate and it always goes horribly wrong. From a usability perspective, id (personally again) much prefer to go with strong advice, maybe a warning that "Your password is not strong" but ultimately let the user decide.

Need input from others on this, or I'd just suggest the risks don't outweigh the imposition, or the assumption that we know better than our users (In this case)

[davidjennings]

Sure, we just wanted to check that this had been considered explicitly. It would be a reasonable response to say that Ian's comment represents the "consideration" we suggested, and the answer to our question "Are the risks and costs of malicious use sufficient to justify requiring strong passwords?" is "No".

Having said that, further comment and feedback would not be unwelcome/unhelpful, I guess?

[ianibo]

Closing for now, unless user testing reveals this to be an issue?

[davidjennings]

Fine! V unlikely that end users will say "please make our passwords harder to remember"; the real test would be to ask other stakeholders including senior management, who don't have to remember the passwords themselves...

[ianibo]

Strong passwords just security theatre tho, aren't they? https://xkcd.com/936/