Password hell, why everyone is failing password UX 101

Passwords are a horrible clunky mechanism, however, until all devices have finger print / retina scanner APIs they are still an essential basic security mechanism, that is accepted as a necessary evil by the end user.

There tends to be three basic strategies to website passwords that people adopt.

1. A single password for everything. It is a complex, but easily memorable as you have to type the same one in several times a day.

2. A large number of passwords based on a pattern, perhaps even one per website which includes the website name.

3. Randomly generated passwords stored either in the browser or a key storage like keepass.

From my user testing the first two are most common and some companies even ban the use of the third strategy. It should be possible to see these strategies and understand exactly how users access websites and more importantly how to provide the least friction to their use of the website, but I still see plenty of websites which fail to do so. Causing usability problems right at the start of a user experience is one of the least forgivable mistakes to make, as it paints the whole product negatively from the outset.

Password box which is not a type='password' input

Current browsers do a lot of extra things automatically if you have an input with a type of password, they offer to save it, they obscure the text being entered and some even offer the ability to click on the box and reveal the obscured text to make sure you typed it in correctly.

I once visited a website that was ahead of its time in one respect, however, on a mobile device it was sadly behind the times. The developer had identified one of the issues with the password box, that obscured text could not be read by the user. Obscuring the text is obviously beneficial and probably welcome in a busy environment, but if you are on your own in a secure environment then it would be nice to be able to reveal the password. To achieve this he used a standard text box and manually obscured the text using Javscript and had a reveal icon on the right side of the box. This worked well in a number of desktop browsers, however, on a mobile device it was horrible. Many mobile keyboards would auto-switch the first letter to a capital unexpectedly because it was just a normal text box. Additionally they may try to auto-correct what you were typing to a real word. This made it very hard to enter a correct password on a mobile device.

Not showing the requirements for the password before entry

Everyone hates entering a password only to be told that it is not good enough and I need to have a minimum of 12 characters without any dictionary words etc.

Not showing the requirements at all

When you thought it was bad to be told after you have entered your password that it is not good enough, imagine how annoying it can be if you are never told the requirements even when you fail to meet them. I recently visited a site where no matter what I tried to enter it told me my password was not complex enough. I even tried the following "90-=Iop[Jkl;" only to be met with "this password does not meet the complexity requirements", well it looks pretty bloody complex to me! After a lot of tries I found out that there was a requirement of 15 character minimum; that is not an easy thing to guess and no user should have to.

Ridiculous requirements for passwords

Your password must be changed every month, it must be at least 20 characters long contain at least 3 of each of the following, lower case, upper... If the password has to be so complex then the end user is not going to remember it. They are likely to write it down which largely defeats the point of having a password.

Not handling complex password

Sadly nice memorable complex passwords fail when the website cannot handle them. I get frustrated that so many websites want numbers and symbols and yet some websites cannot handle symbols in their passwords. This means that you cannot use the first two strategies for password memorisation. 

It is very annoying to be met with "your password cannot contain symbols", but there is something worse. Deezer is one of those sites which cannot handle complex passwords properly, but rather than tell you it cannot cope it simply says your password has been accepted but then fails to log in. I wonder how many free trials which could have lead to paying customers have been abandoned because the user was unable to log in and did not thing to use a much simpler password to acquire a login?

Not Handling Long Passwords

Can you believe that Microsoft's requires 8 characters minimum, but cannot handle a password which is more than 16 characters.

The length of a password really helps reduce the probability of it being cracked. Additionally long passwords are not necessarily hard to remember. 16 characters maximum is too small allowing a large range helps make the passwords much harder to crack by a computer.

Allowing a computer unlimited chances to guess

The main reason why people started imposing restrictions on passwords was to reduce the possibility of a computer "cracking" a users password by entering in millions of potential passwords every few seconds until they were successful. Well if the computer can only have a few guesses before it is prevented from trying again then it is substantially more secure and you should not need to have such arduous restriction on passwords as they can only realistically be crack via social engineering or a more fundamental database level hack.

What should I do then to provide the best UX?

Best practice for passwords are not rocket surgery. Simply aim for the following:

  • Help the user enter complex passwords by providing a dynamic complexity rating. The user wants their password to be complex so help them to do so.
  • Provide help text as to the requirements.
  • Try and provide a decent range of password length, 7-128 should be sufficient for most users.
  • Allow symbols, white space, numbers and letters at any point in the password.
  • Restrict number of attempts to stop simple brute force attacks
  • Only enforce a single level of complexity, if you have prevented brute force then the password does not require massive complexity, just enough to prevent a guess in 4 steps ie one of the following
    • Long password - 18 characters or more
    • Lower and upper case
    • Numbers
    • Symbols
    • Not on the list of 100 most common passwords
  • Provide error text explaining why a password has not been accepted and advise on how to meet the requirements for an accepted password.
At least following these options should preventing you from creating resentful users before they have created an account.


Popular posts from this blog

IE9 Intranet compatibility mode in Intranet websites

Intersystems Caché performance, woe is me...

Multi-select with shift on HTML table