Promotional feature

Password policies for business portals – finding a balance between usability and security



BUSINESS portals are becoming increasingly used by companies who rely on having good relationships and easy transactions with suppliers and clients. Many companies in the B2B arena are seeing huge benefits from things like SAP supplier portals, which enable them to create private areas where suppliers can access important real time information and perform regular actions more easily.

Password Security

When a portal system is implemented, the people who will be using it, both from within the company that owns it and from within the supplier or client companies, need to have accounts so that they can log in privately and be shown the information relevant to their accounts. While you could either provide passwords or allow users to create their own, it is common good practice these days to have a password policy that stops people from creating passwords that aren’t very secure.

Of course, every web user is familiar with these kinds of policies – how long the password needs to be, and special requirements, for example including special characters, upper and lower case letters, and numbers. A very lax policy would be something like insisting passwords are over six characters long. A stricter one would be requiring a longer password that contains at least one special character, one number, and a mix of upper and lower case letters; for example, PCI compliant passwords need to follow strict guidelines. There are then also generally policies on when a password must be changed, and whether a password that has been previously used can be used again.

Security Versus Frustration

The problem with deciding on a password policy for your new business portal is that you want people to make passwords that are not weak and easy to guess (like their date of birth or their pet’s name), but you also want to avoid them feeling frustrated about having to think of something overly complicated and then remember it. If your policy is too strict it may be counterproductive, as the password holder is far more likely to write their password down somewhere. This is why it can be a good idea not to automatically use the stricter combinations just because they ‘feel’ more secure to you.

Something that strikes a balance between ease of use and password strength is often better – for instance requiring an 8 character password that should include at least one uppercase letter, lower case letter and number tends to feel less annoying than getting special characters involved. When using a mobile device, finding special characters can also be more of a hassle on a phone keyboard, making it more annoying to enter the password when prompted.

Display The Policy on All Password Creation Pages

As well as finding a good balance and thinking about ease of use when deciding on your policy, also make sure you display it on password creation and password change forms, so users don’t have the frustration of entering the password they want only for a validation error to return telling them they should have included a number or more characters.

It may seem like a trivial thing, but users do tend to feel frustrated at having to create accounts on so many sites and remember all of their passwords, so ensuring your portal doesn’t add to that frustration with an overly strict password policy can be a good move.