Better Insulated From the Consequences of Poor Usability

“ We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. Online retailers and sites that sell advertising must compete vigorously for users and traffic. In contrast to government and university sites, poor usability is a luxury they cannot afford. This in turn suggests that much of the extra strength demanded by the more restrictive policies is superfluous: it causes considerable inconvenience for negligible security improvement. ”

Dinei Florencio and Cormac Herley from Microsoft Research asking Where Do Security Policies Come From? (PDF). Found via Bruce Schneier's always great blog on security, in his post on the Economic Considerations of Website Password Policies quoting this and another research paper.