User accessibility, and keeping the bad guys out

As a developer, all the systems we create have end-users.  There is a delicate balance between make sure a user is who they say they are, and stopping unauthorised access.  Make it too easy and their data can be compromised - too difficult, and our helpdesk gets flooded daily with calls from users who can't legitimately get into their systems.  The tried-and-true method for user/pass combination is email address and a password.

As a user, I hate systems that impose ridiculously complex rules when it comes to me selecting a password.  If I pick a password that is ridiculously simple, I should suffer any adverse implications for my poor decision.  Making me remember a login that isn't my primary email address (such as a username/account ID) is just as annoying.

The worst offender for a system I use often is our credit card processor - if someone did get access to my account, the worst they could do is transfer funds to our company bank account.  Nothing else remotely useful is available, yet they enforce a very complex pattern, and make me change it every month.

Another good example of this is in a recent thread by Geekzone user Lurch - he highlights the issue of signing up to Vodafone's careers site:

Please note that the password must respect the following rules:

• It must contain between 6 and 50 characters. Use only characters from the following set: ! # $ % & ( ) * + , - . / 0123456789 : ; < = > ? @ ABCDEFGHIJKLMNOPQRSTUVWXYZ [ \ ] _ ` abcdefghijklmnopqrstuvwxyz { | } ~

• It must contain at least 2 letter(s) (ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz).

• It must contain at least 1 numeric character(s) (0123456789).

• It must contain at least 1 character(s) from the following set: ! # $ % & ( ) * + , - . / : ; < = > ? @ [ \ ] _ ` { | } ~

• It must not contain more than 2 identical consecutive characters (AAA, iiii, $$$$$ ...).

• It must not contain your user name.

• It must not contain your email address.

• It must not contain your first name.

• It must not contain your last name.

Just to sign up to a careers site, you have to jump through all these hoops.  Over the top much?

I originally had a whole blog post here outlining what I think is a better solution, but instead micsco's post from xkcd sums it up far better than I can: