Editing Password policy (section)

===Usability considerations===
Password policies are usually a tradeoff between theoretical security and the practicalities of human behavior. For example:
*Requiring excessively complex passwords and forcing them to be changed frequently can cause users to write passwords down in places that are easy for an intruder to find, such as a [[Rolodex]] or [[post-it note]] near the computer.
*Users often have dozens of passwords to manage. It may be more realistic to recommend a single password be used for all low security applications, such as reading on-line newspapers and accessing entertainment web sites.
*Similarly, demanding that users never write down their passwords may be unrealistic and lead users to choose weak ones (or cause a lot of inconvenience when users forget their password). An alternative is to suggest keeping written passwords in a secure place, such as a [[safe]] or an encrypted master file. The validity of this approach depends on what the most likely threat is deemed to be. While writing down a password may be problematic if potential attackers have access to the secure store, if the threat is primarily remote attackers who do not have access to the store, it can be a very secure method.
*Inclusion of special characters can be a problem if a user has to [[login|log onto]] a computer in a different country. Some special characters may be difficult or impossible to find on keyboards designed for another language.
*Some [[identity management]] systems allow [[self-service password reset]], where users can bypass password security by supplying an answer to one or more [[security question]]s such as "where were you born?", "what's your favorite movie?", etc. Often the answers to these questions can easily be obtained by [[Social engineering (computer security)|social engineering]], [[phishing]] or simple research.

A 2010 examination of the password policies of 75 different websites concludes that security only partly explains more stringent policies: [[monopoly]] providers of a service, such as government sites, have more stringent policies than sites where consumers have choice (e.g. retail sites and banks). The study concludes that sites with more stringent policies "do not have greater security concerns, they are simply better insulated from the consequences from poor usability."<ref>{{Cite conference |title=Where do security policies come from? |conference=SOUPS '10: Proceedings of the Sixth Symposium on Usable Privacy and Security |last=Florêncio |first=Dinei |date=2010-07-14 |url=https://dl.acm.org/doi/10.1145/1837110.1837124 |pages=1-14 |via=[[ACM Digital Library]] |last2=Herley |first2=Cormac |doi=10.1145/1837110.1837124|url-access=subscription }}</ref>

Other approaches are available that are generally considered to be more secure than simple passwords. These include use of a [[security token]] or [[one-time password]] system, such as [[S/Key]], or [[multi-factor authentication]].<ref>{{cite web|url=http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/|title=Passwords and Myth
|publisher=CERIAS|date=May 11, 2006|author=spaf}}</ref> However, these systems heighten the tradeoff between security and convenience: according to [[Shuman Ghosemajumder]], these systems all improve security, but come "at the cost of moving the burden to the end user."<ref>{{cite web|url=https://blogs.wsj.com/cio/2015/05/27/for-cisos-irs-breach-highlights-tension-between-security-and-user-convenience/|title=For CISOs, IRS Breach Highlights Tension Between Security and User Convenience|first1=Steven|last1=Rosenbush|first2=Steven|last2=Norton|publisher=The Wall Street Journal|date=May 27, 2015}}</ref>