So then you have to decide, do we punish these users for their bad password practices or do we implement different practices that are more likely to be followed.
In most areas, I would agree that the latter would be the best approach, with nuance*
However, in the security space, I would argue that you should implement practices based on the threat model, and the importance of the data being protected.
Should a user be rotating passwords on a website they use to check the weather? Probably not.
For a banking site? I would, and enable 2FA if it already isn’t. 2FA, I would also argue, is more of a PITA for users than picking a strong password via their password manager.
We already see harmful example of suggestions being offered, not because the facts support it, but because “it’s easier for the user to follow”.
For instance, health authorities tell people to get 150 minutes of activity per week, despite the clear evidence that more than that would be better for optimal health.
Why do they do this? Because suggesting the true amount of exercise needed causes an aversion… the opposite effect.
So, I can see how we might ask users to only do the bare minimum, or else risk complete noncompliance with best practices. But the reality is, it only takes a very minimal amount of effort to secure our data, so we should encourage users to actually follow best practices (as it relates to their threat model).
In most areas, I would agree that the latter would be the best approach, with nuance*
However, in the security space, I would argue that you should implement practices based on the threat model, and the importance of the data being protected.
Should a user be rotating passwords on a website they use to check the weather? Probably not.
For a banking site? I would, and enable 2FA if it already isn’t. 2FA, I would also argue, is more of a PITA for users than picking a strong password via their password manager.
For instance, health authorities tell people to get 150 minutes of activity per week, despite the clear evidence that more than that would be better for optimal health.
Why do they do this? Because suggesting the true amount of exercise needed causes an aversion… the opposite effect.
So, I can see how we might ask users to only do the bare minimum, or else risk complete noncompliance with best practices. But the reality is, it only takes a very minimal amount of effort to secure our data, so we should encourage users to actually follow best practices (as it relates to their threat model).