Challenge of UX design: How to remove friction of creating a password
By Reinis Paulins
Create a password is hard, but to remember the password is even harder. Nobody really like to fill out forms, check and validate emails, invent a new password that follow security rules.
A human can remember 50 different random combinations of characters, leading to one of two common solutions:
1. Users select non-random passwords that are easy to remember,
2. Users write down the passwords on a piece of paper / in a file.
The first solution is led to password security rules that are used in most websites that by mind care about your data safety.
😵 But sometimes this can go wrong…
Thank god they fixed this password issue by implementing password constraints masking. But in the end, I didn’t use this app almost for 5 months. If you were an e-commerce company, not a government agency. Here you lost your potential customer…
More frustrating this experience is on mobile devices. Imagine a password recovery. Users need to switch apps/websites in order to confirm the email, switch keyboard or open an SMS to copy verification code and go back to paste it.
So, what I can tell about passwords from UX perspective? First of all, passwords are difficult to create. Second, passwords are even harder to remember.
According to Luke Wroblewski - Around 82% of people have forgotten their passwords. Password recovery is the number one request to Intranet help desks and if people attempt to recover a password while checking out on a e-commerce site, 75% won’t complete their purchase. In other words, passwords are broken. And the situation is worse on mobile where small screens and imprecise fingers are the norm.
But can we do better?
Yes, we can. But as always it’s depends from two factors — time and resources. Usually both are limited.
In this story, I won’t talk about such biometric solutions like Face ID and Touch ID. From a user perspective, this could answer for fixing frustration with password related questions in UX. But it will take time to scale globally and fixing some issues…
When time and resources are limited you have to prioritise! Develop a plan of implementation. Usually I consider three criteria: Potential, Importance, and Ease. In this way prioritise what in which order will be tested and implemented on website.
Quick fix list
So, ordered by PIE score from previous projects, here is my quick fix list related to passwords.
1. Show the password security rules
The user needs to know the security rules of the password. If you don’t show this rule before, how you imagine that user will succeed in the first attempt?
Imagine that you play basketball for the first time and nobody didn’t tell you rules. Usually, you will end up with traveling. Password requirements should be visible at the time when the user is creating the password.
But remember the devil is the details. Simply showing all 10 password security rules won’t change the situation (see an example from my tweet above). User needs to know if his password meets your password security rules.
MailChimp is a great example how to solve this issue.
2. Option to show or hide password
I believe that user needs to see what he is typing. The password should be unhidden by default. But do not forget users that are not comfortable about entering the password in the unhidden field. Allow them to “hide” password when typing.
Here is an excellent overview of thinking behind the showing passwords by Luke Wroblewski.
3. Limit requirements of password
Remember short set of random characters won’t be safer, than a long string of memorable words.
That’s why passphrases are more secure and more usable. Phrases are easier to remember than random characters. Phrases are meaningful and relatable.
Using passphrase security policy you can limit security rules that need a traditional password.
A good example of using phrases for a password from Simple.
4. Add alternative methods
Jakob’s Law states that users spend most of their time on other sites. The possibility that users spent more time on Facebook, Twitter, Github or Gmail is greater than they spent on your website.
Likely user will remember the password for Facebook or Gmail than a password that they used for your website.
Take advantage of that. Use social logins.
5. Add a password strength meter
Help to user to create a strong password. Use password strength estimator.
Even if you lower password security requirements you can motivate the user to create a strong password by adding gamification effect.
A password strength meter gives immediate feedback to the user about his new password — is it strong enough or not? Does he need to make up a new one, or ad some new characteristics (numbers, capital letters, etc.)?
By the way here is a open source, low-budget password strength estimation tool from Dropbox — zxcvbn. 🔑
6. Do not forget a password recovery
As mentioned before password recovery is the number one request to Intranet help desks.
For password recovery use retrieval link. Sending a password in plain text is not a good idea. Not from security, not user perspective.
Be clear from the start! Show the user the email address where you will send a retrieval link and describe how to reset the password. For added security, you can mask portions of the email address.
Conclusions
In the end it’s the little things… Even a small improvement can significantly increase usability of creating / using a password. Your main task is to help your users create a password that they can remember.
Quick fix list above can help you to reduce friction by using/creating a password without major technical investment and overhaul.