Strong password vs. restriction on number of attempts

Why do internet services not go the same way?

Fundamentally, because users don't want it.

Implementing stronger security measures would mean spending money to do it, and for most internet services, stronger measures would also negatively impact the user base and usage of the service. Especially if you're an ad-revenue driven internet service (as most are), the last thing you want to do is prevent people from using your service for a period of time, because that's lost revenue.

Balancing security and convenience is difficult at the best of times, and when it comes to internet-based services, it is exceptionally difficult, because typical users, and the vast majority of users, are simply not willing to sacrifice any convenience at all, no matter how much security they get in exchange. As you note, typical password complexity schemes allow for passwords like Password1. Typical users pick a single, simple password like that, and use it for everything. (As every big password dump, ever, verifies.) They don't like to be told they can't use their password because it's laughably weak.

They just want to use the service, and are not willing to suffer much inconvenience to do so. With very few exceptions, if your service doesn't let them, there are a lot of nearly identical competing services that will, and that's where they'll go instead. And if they're not willing to "put up with" using anything remotely resembling a decent password, they certainly aren't going tolerate being locked out of their service or having an actual strong password/phrase forced on them.

To that point, here is a decent estimation and analysis of usage for Gmail's two-factor authentication option, which links a research paper from EuroSec 2015 (pdf) reaching very similar estimates. A free, optional, very secure (and easy, convenient) way to protect your Gmail account from being hijacked... and about 6.5% of people can be bothered to use it.

So, if Google can only manage to get about 6.5% of people to use a free, convenient layer of security for their online service, no one stands a chance of imposing stronger security measures on their users.


Credit card information is not meant to be public. If someone is brute forcing a credit card, there is a really good chance, that either it was stolen or its details were somehow compromised. That is why blocking a credit card makes sense.

Gmail ID on the other hand is meant for public use. It can be displayed in some online profile or web site, it can be printed on business card, etc. Basically you are meant to give people your ID, so they can use it to contact you. That is why blocking you off your GMail account whenever someone decides to login using your public ID (you know, just for the fun of it) is a really bad idea. The entire service could be shut down by someone with a lot of free time, determination and long enough list of e-mail addresses. :)


The simple answer is that both should be best practice. Complex passwords reduce the changes that the password can be guessed, and attempt restriction reduces (note: but does not eliminate) the chance that a malicious user will be able to brute force the credentials.

The counter-argument here is that both measures have impacts on convenience and usability. Given the number of passwords we have for services these days, limiting the number of attempts greatly increases the false-positive chance (the likelihood that a user will be blocked when they are who the say they are, but have simply forgotten their password).

Increasing password complexity makes it more difficult to remember a password, and increases the attack surface from other routes (passwords written down/saved in browser, etc.).

For bank cards, they have elected to go with the relatively simple passcodes, relying on a fairly strict (three tries and you're blocked) attempt restriction. Combined with the fact that most card terminals are either manned, or at least monitored, the added security of a complex passcode would not be worth the increased time to enter, or chance of forgetting. Speed is king, in this scenario.

Conversely, for a website, the users are anonymous, so there's not that check. Complex passwords help to combat that scenario, but badly implemented attempt restriction could cause genuine users to be blocked either through forgetfulness, or maliciousness.

Do please note, that this is not, as suggested by your title, an either/or scenario. There is nothing to prevent both methods being used, other than he convenience trade-off, or laziness on the part of the designer.

Tags:

Passwords