[Cryptography] Cost of remembering a password
Phillip Hallam-Baker
phill at hallambaker.com
Fri Aug 15 20:18:39 EDT 2014
First year electronics lab we had a project where we had to build
stuff using stuff from the department stock. We had a budget of GBP15
and most of the parts were a few cents except for ICs which were more.
Potentiometers cost 20p for the part plus 5.00 for any manual
adjustment. The point of the project was you had to work out how to
avoid needing to use them.
So what would be an appropriate price in an application or Web site
design for requiring the user to remember a password? I am thinking at
least $25 and double that if the user has to append '1', '!' or '1!'
to pass the lame strength' tests people still insist on.
Not sure what the price for a CAPTCHA should be but there should
definitely be one. What really drags is when failing input validation
on a form requires the user to answer another CAPTCHA.
Perhaps if there was a cost penalty for using passwords, designers
would be more interested in using public key techniques that allow the
job to be done right.
More information about the cryptography
mailing list