Usability considerations

Password policies are usually a tradeoff between theoretical security and the practicalities of human behavior.

For example: Requiring excessively complex passwords and forcing them to be changed frequently can cause users to write passwords down in places that are easy for an intruder to find, such as a Rolodex or post-it note near the computer. Users often have dozens of passwords to manage. It may be more realistic to recommend a single password be used for all low security applications, such as reading on-line newspapers and accessing entertainment web sites. Similarly, demanding that users never write down their passwords may be unrealistic and lead users to choose weak ones.

An alternative is to suggest keeping written passwords in a secure place, such as a safe or an encrypted master file. The validity of this approach depends on what the most likely threat is deemed to be. While writing down a password may be problematic if potential attackers have access to the secure store, if the threat is primarily remote attackers who do not have access to the store, it can be a very secure method. Inclusion of special characters can be a problem if a user has to log onto a computer in a different country. Some special characters may be difficult or impossible to find on keyboards designed for another language.

Some identity management systems allow Self Service Password Reset, where users can bypass password security by supplying an answer to one or more security questions such as "where were you born?," "what's your favorite movie?," etc. Often the answers to these questions can easily be obtained by social engineering, phishing or simple research. A 2010 examination of the password policies of 75 different web-sites concludes that security only partly explains more stringent policies: monopoly providers of a service (e.g. government sites) have more stringent policies than sites where consumers have choice (e.g. retail sites and banks).

The study concludes that sites with more stringent polices "do not have greater security concerns, they are simply better insulated from the consequences from poor usability." Other approaches are available that are generally considered to be more secure than simple passwords. These include use of a security token or one-time password system, such as S/Key.