

Password fatigue - Wikipedia, the free encyclopedia - daniel-cussen
http://en.wikipedia.org/wiki/Password_fatigue
"20% of customer service calls are password-related."<p>Adding passwords to a site would make customer service increase 25%.  This is brutal considering it's hard to automate, and according to Joel Spolsky, one of the first jobs a startup hands to a dude who works on an hourly wage.<p>Then there's the larger cost of turning users away.
======
TheTarquin
This is a perfect example of where the theory/practice divide comes back to
bite us. In THEORY enforced entropy, scheduled changes, "blind" passwords that
don't echo back a character, etc. all make our users way safer. In practice,
most of the time they just piss them off and the users just recycle the same
"entropic-enough" passwords on all sites, which they rotate through whenever
bothered to do so.

Users haven't read the security texts and, if they have, they probably don't
care.

Which isn't to say we SHOULDN'T design systems like that, it just means that
we shouldn't be surprised when users circumvent our well-intentioned password
policies.

