There are a large number of web sites and applications that enforce varying degrees of password quality, all with the sincere intent to improve security. Do they really succeed? I believe they don't, and here's my take on it.

Password quality policies are designed with the objective of forcing the user to select sufficiently complex passwords or passphrases that makes breaking it much harder. Such policies fail to take into consideration that passwords also need to be easy to remember. They tread a delicate balance of complexity versus ease of retention, and invariably prefer to lean towards complexity and end up making it harder on the user.

Passwords that are chosen with complete freedom are easier to remember. I tend to think of such passwords as being made up from a namespace of the user's choice. The namespace can be anything from which the user can pick passwords that are complex enough but easy to remember. Even within this comfort zone, there is a limit on the number of passwords that can be generated from a given namespace and retained in the user's memory. Beyond this limit, the passwords need to be persisted, like for instance on that yellow stickit attached to your computer.

Password quality policies harshly switch the user from his preferred namespace to the designer's namespace. That special character that the designer insists that you use is not in your namespace. You can't remember anything you make up in that namespace. Like many users, you are forced to write it down and have it within easy reach. The intended security benefit is never achieved.

Designer's defend their password quality policies on the premise that weak passwords are the weak points in the system. So is having to write down a complex password. In any case, assuming that the transport and server side storage are secured, the user himself is the weak link, and whether you enforce password quality or not, he has the ultimate responsibility to ensure his passwords are secure enough.

Look at this problem from the perspective of the hundreds of web sites and applications where you have an user account and the dozens of sites that decided to implement a password quality policy. Of course, I have to write down every password I made up to satisy a password policy, and you will be surprised to know how I store it.

We need to consider alternative approaches to improve security. Solving the problem of having to maintain an user account at each site is a good place to start. Lesser accounts means lesser passwords to deal with, and possibly doing a better job at it.