Improving Computer Password Delays

For many computer applications and web sites, if you incorrectly enter your password during login, it will force a delay of a few seconds. Some login systems, like the one for Mac OS X, exponentially increase the delay time for each incorrect entry. This measure was initially put into place to deter password-cracking software, which would repeatedly attempt to enter thousands or millions of word combinations from a dictionary in an attempt to access an account.

The problem with this system is that the software engineer seems to forget that the interface is designed to be used by people, not machines. And people make mistakes. Brand Templeton suggests a better method: implement the delay after four failed attempts. By the fourth, it becomes obvious that the user has either forgotten his password entirely (and needs assistance) or is behind a malicious access attempt.

I’ve seen Templeton’s idea implemented on one banking site I frequent, where after five failed attempts, it locks me out for 24 hours. I seem to always find myself fumbling through my brain trying to remember which login-password combination I used for what banking site. I like the concept of the forgiving password delay, but please, whoever decides to implement this, don’t make the lockout time so absurdly long. It’s a very thin line a developer must walk between security and user-friendliness.