Is password strength validation a good idea?

Like probably most of the people in the world I have also only few password that I have in my mind and ready to used when needed. But unfortunately none of them are strong. Some of these are from time when I first used internet. Sometimes I come across sites that need strong password and those annoy me a bit.

User experience

As a site owner I would not validate password. Probably only lenght of the password. I think in point of user experience it's bad idea to force users to do something they don't want to. Maybe even drive them away from registering.

I would question what value does it generate for you and is it bigger than getting users to make up new password for you.

Don't get me wrong

As a developer I know why strong password is better but I tend to think, it's users own problem if somebody can guess ones password. If site is bruteforced and your password is found- your problem. Also site should not allow bruteforcing at all. So where is the problem anyway? Database leakage is only possible way I can think of at moment.

Cool fact is that my internet bank does not validate my password for strenghtness. But it forces to change it after every 3 months. For me it is little bit better than validating because it allows me to switch between 2 password. [Evil laugh]

Interesting read

Do we really need strong password with scrambled symbols and letters to be safe? Check out article The Usability of Passwords by Thomas Baekdal. It talks about password security and is quite interesting along this topic.

So, what you think about this as user, owner or developer? I am really interested in your feedback.

Janar jürisson #
I am co-founder of web/media studio GIVE me. and (android)developer at start-up named Choco. Read my about page to learn more.