Does anyone have any evidence, anecdotal or formal, about how
different password strength requirements impact the usability of a
There's a spectrum of different strength requirements. I've seen
sites that don't have any requirements, other than the password
exists. I've seen others that require the password to be at least
10 characters, with at least 1 lower case, 1 upper case, 1 digit, 1
"special" character (like #$@!), and then require the password to
be updated regularly while preventing reuse of old passwords.
Our security purists here want "really strong" passwords, though
not as strong as my second example above. I'm looking to see if
there's any knowledge out there about how different points on the
strength-spectrum impact usability. Is there a watershed spot where
if we make it more complicated than X, usability really suffers, but
all points less complicated than X are equally easy?