Password Suck

 

Making Passwords Better.

Let’s start by playing a game of 'have you ever'. 

So my question is, have you ever tried entering a password onto a new service, only to find that the service has a set of opinionated or even arbitrary rules stopping you from using the password you wish to use?

You must use at least 1 symbol, 1 number, 1 uppercase letter, and 1 lowercase letter and 1 unicorn.

Let me set-up a situation for you:

There is a new online pop-up store offering great deals but they require you to create an account before you can save or buy items.

So @WorkToday@ is your go to password. You used it for a bunch of products before you came across our pop-up store that wasn’t cool with it. That’s the thing about opinionated services — they often disagree. Maybe they need numbers or dislike special characters, maybe they love upper case letters but hate you using the same character more than once, and so on. 

That night you jump back into our pop-up and you try some permutations of your go to passwords but you can’t get in. It’s time to use the password reset link again, which at this point is basically your login button.

The pop-up store then reminds you that your new password will not work because it was to close to your old password. If you’re me, this is the point where you decide that those new jeans are just not worth it and you want to chuck your computer/phone/tablet across the room, and yell out to your mates the the pop-up store sucks. You can’t believe its real and you ask yourself how does this thing even exist with such a crap system?

That’s right, these dumb rules in the registration system have not only lost our pop-up store a client but done it is such a way that the one user has influenced other users to stay away. All because developers with your best interests in mind thought they were helping.

 

Risks and Rewards

Now, just to be clear I'm talking about those non-technical people who either write down their passwords on sticky notes or use a single password for multiple services. Yes, I realise these are both terrible ideas but a lot of non-technical people with online services/passwords do exactly this.

So, the fact that this is dumb is not the point. The idea here is that it’s the users decision. Perhaps, to the user, the convenience of a single email/password combination is worth the risk of their accounts being cracked.

Because of this a lot of login systems assume users carry no responsibility for their account’s security. Instead, the application must carry the burden. Many apps opt to do this the easy way — sticking to the status quo and treating their users like children. 

If I was to play user advocate at this point, you should inform your users but not insist. Your users, should have the right to weigh up Risks and Rewards. 

If you’re me you use a password manager tool such as 1Password or LastPass and always turn on two-factor authentication

Your users are not actually children, and will resent these inconveniences being forced upon them. This is what we call bad user experience.

In short by adding layers of complexity, you most likely are not helping your users  but instead you are hurting their experience and feelings towards your brand or service.

 

Making It Better

As a UX designer working on your app’s registration, you want a simple friction free way your users can login. But as you care about them, you don’t want them to have the awful experience of their account being cracked. Unfortunately you just can’t, Passwords are susceptible to brute force attacks, phishing scams, guessing, and the evergreen classic looking-over-someone’s-shoulder. 

Being a UX designer puts the responsibly on your developers to secure the backend (make sure they Hash and Salt passwords, keep the user database secure, implement throttling and check for changes in geolocation). Your responsibility is the experience of your users. To this, offer a variety of methods for enabling two-factor on your app, make sure your password recovery system is solid. Inform your users of the benefits of good password habits but leave the ultimate password decision to them.

Remember, your App/services exist for our users, not despite them. I like to think you can get people to use strong passwords by using simple clear language describing the risk of weak password and have easy to use two-factor methods or password manager integration without negatively affecting their experience using our products. 

 

Better Ways.

Build and Encourage Two-Factor Authentication.

When you set up your two-factor authentication system, make sure to integrate it with the systems your users have. Let them choose how they want to authenticate, whether it’s email, text, carrier pigeon or going through a maize of underground volts  Get Smart style . Make it convenient for them to be secure. And once you do, write out the messages you send them in a way they’ll understand.

Encourage your users to turn two-factor on after a few days of use in order to reduce the burden on the setup flow.

You can do what services like slack are doing with a magic link and Yahoo with their Account Key. The term “two-factor” isn’t  mentioned anywhere.

 

Strength Meters

Use Password meters to incentivise users to use more secure passwords. Who doesn't like getting a green bar?

While this is a good reason to add one, there are some down sides: 

  • "Weak password” doesn’t inform your user how to create a strong password. 
  • “Excellent password” doesn’t inform your userwhy it’s good.

Also this is an easy way to fall into the trap of treating your users like children again.

 

Inform, Inform, Inform

You don’t want your users to get lost, or even just follow the steps in a flow. You should inform them allowing them to understand what they’re doing. Motivating your user to create a better password is all about information. Making a bar turn green is fun and satisfying, but it doesn’t make a long-lasting difference and making your two-factor system amazing is good for you but your user still needs to turn it on. 

To go biblical on this "Make someone choose a good password, secure them for a day. Teach them what makes a good password, secure them for a lifetime.”

Let’s shift the motivation away from getting the password meter to green or getting through this one form. Let’s get people to choose good passwords for the sake of security.

Time for another scenario. 

Your non-technical user enters “password” as their password. On submit or after validating a message displays stating something like: Sorry about this but your password is currently number 3 on the all time most commonly used passwords. Are you sure you wish to use it? 

With buttons options stating: Change password and Happy to use it

By doing this you have moved the blame away from the frustration being placed on your registration system and onto your user. Also you have informed them in a way that just may be they will try using better passwords in the future

 

Looking forward

For those more tech savvy readers, you already know that passwords are on the way out. This is because of how bad passwords are from a user perspective and the fact that they are far from perfect as a security method. The password is slowly being replaced by biometrics and user-friendly two-factor authentication systems. For the average user, it’s unlikely that we will be rid of them anytime soon. So, until we are all face scanning, finger printing and retina/eyeball reading our way into that shopping app, let’s all do our best to make the humble passwords better.