Anyone reading this on a tablet or smartphone try to guess whats shift+6 , you have 10 seconds. We shall come back to this point later in the post.
As the smart phones become our primary screens to browse and interact with the world wide web we start finding new problems that stem from the changing ways of interacting with the web.
Most of the smartphones today feature a touch-screen-only interface with a digital qwerty often cramped within a 4 inch display. Lets not even get into the ergonomics here, but rather focus on the behavioral aspects. Migration from a laptop or a desktop as your primary way of accessing the internet and all the different tasks from email to that corporate app your company made (which might as well have gotten you this shiny new smartphone) can be unsettling for some. Especially those who are competent with computers with only the aspects which they regularly use. This kind of migration leads to a number of usability issues I like to call “Phantom” problems.
In this post I am only talking about one of these phantom problems. The-one-where-the-app-asks-for-a-special-character-in-the-password.
Now, password protection measures can range from cautious to downright paranoia, I have come across several apps which ask for a lowercase, an upper case, a number AND a special character. One of the most frequent ones were banking apps (people take money matters very very seriously). Frankly I think that these should be more of a guideline than a mandatory requirement (special character wise). If you make the passwords so difficult that there’s no chance the user can ever remember the password , he will write it down somewhere defeating the purpose of the strong password itself.
Now lets get back to the issue at hand.
Given that the special characters increase the brute-force-resistance exponentially I doubt that it will be any good if the user himself cant input the password when he needs it the most. Most people who have special characters remember it not by the name but rather the key combination (there is a very wide variety of names for each one, I know a person who call the shift+1 or exclamation mark a ‘bang’). Now what happens when the keyboard on your phones screen no longer assists you with this combo method, or rather hides the characters off your screen altogether (bang). People panic, and this is not a good attribute for any Human-computer-interaction point.
Hence, I strongly believe that making the users include a special character by force is not a good idea anymore. If they do it themselves , they’re smart enough and care about the security. Otherwise lets keep ourselves to lowercase, uppercase and numbers.