Forum Moderators: buckworks
Letting users choose their password is such a common thing that it's hardly considered any more in site design. I can't recall any sites I've enrolled with recently that buck the norm and force a password on you, save for some major banks.
The fact is that many, many, many people use the same password on every single site. Even with the advent of password manager software, Firefox, etc., there is still a huge number of users that are oblivious to the security risk of using the same password everywhere.
A scenario: you find some Apple 30" screens on Ebay for $500 (regular $2500). What a deal! The seller seems to reputable enough, and people seem to be biting.
When the seller asks for payment only in Western Union, or some similar red-flag, the pieces of the puzzle come together: it is more than likely the 'seller' is a fraudster who gained the password the to ebay account through phishing, or via another unscrupulous webmaster who allows access to his user database.
So the question is, why should any webmaster allow a user to choose their own password? You choose customers that walk into a retail storefront; if it's a drunk homeless person you escort them out. Following the retail store analogy, letting people choose their own password is akin to all the customers entering your store with the same overalls and a bag over their head.
So how can any webmaster feel comfortable knowing that your site access is only as secure as the weakest link in the chain of that particular user's internet habits? Why do places such as Ebay, Paypal, and Amazon, who I always look to when I'm considering useability and ecommerce, still allow user-defined passwords instead of enforced passwords?
I'm asking for opinions on this as i'm considering moving to enforced, random, pronouncable passwords. It's a simple script and although there's more than a password protecting me from my users getting the goodies, it would be the least I could do.
Could potentials user be so turned off by an enforced pw that they would actually abandon a cart or registration process? The simple answer is, yes. There's a segment that will not enjoy the color yellow in your logo.. i'm looking for the complicated answer though. And it must be complex, as I -know- for a fact Paypal, Ebay, and Amazon suffer greatly for their weak password strategy.
When your user selects a password it's their responsibility.. If you/your company starts issuing passwords then the responsibilty is shifted from the user to you/your company
just a though
If the user choses to use an insecure password that is the same as his/her password on every other site, that's his/her problem.
It's not your responsibility to worry about users entering insecure passwords for fake eBay sites.
If the owner of the fake eBay store uses the password and logs into your site with the other user's password, what the issue?
I recognize the MS Passport idea and similar digital identity initiatives as a step in the right direction, it just seems that at this point if people are smart enough to buy something on the internet, then they are also capable of hitting 'Yes' to the question that pops up by default in Firefox 'Do you want to save this password?', and thus bypassing the issue of remembering multiple passwords.
One account = one user.
This is a basic building block, why is the standard these days still
'One account = One user IF (they didn't use this password on <immoral webmaster's site>)'
I would think if there were a few more webmasters enforcing passwords there would inevitably be a few more users using password manager solutions.
With the lifetime unlimited access, how do you prevent a user from "selling" his password to other people? (Ex: one user signs up for $25 then sells the password to 100 people for $5.)
That being said, irregardless of my main site, it's just a general conceptual question. I make sites for lots of clients in lots of situations, including for those where no sales are involved, it's still: why would I want to promote a security methodology that has it's roots in the 70's where it was more like 'One user = One computer'.
I have to admit if I went to an internet cafe today and tried to log into the 'top 10' sites where I personally use as a password, it might be a bit sticky: but there's always the forgotten password function.
The customer is always right and i'm big on keeping them happy and convenient-ized, however drawing the line at basic system access seems like a good direction..
