CXL

The Problem with Password UX (and How to Fix It)

Have you ever forgotten a password for a site? What about a security question?

Have you ever spent a ridiculous amount of time trying to think of a password you can remember, but also complies with a list of arbitrary requirements (e.g. 7 uppercase letters, 4 special characters, etc.)?

When these UX problems pop up, they cause friction.

Friction that prevents new SaaS customers from signing up, friction that prevents loyal eCommerce customers from creating an account for next time, friction that prevents current customers from accessing their accounts.

Why Is Password UX a Problem?

First of all, the average person has a lot of passwords to keep track of. According to this 2012 NorSIS Password Survey, the total average minimum number of private passwords is 17 and the total average number of work passwords is 8.5. Another survey found that more than 50% of people use three or more passwords on a daily basis.

Passwords are hard to remember.

According to the 2012 Online Registration and Password Study, 51% of people dislike the idea of remembering another password. Not so surprising. But 38% agreed that it sounds more appealing to do household chores than come up with another new username or password.

That same study found that 37% of people have to ask for assistance on their username or password for at least one website every single month.

In fact, the concern for the ease of password memorization is pretty universal, according to a survey

Despite this apparent dislike for password creation and memorization, Perception and Knowledge of IT Threats: The Consumer’s Point of View found that 71% of respondents rely on their memory to recall passwords.

Image Source

That might explain why people reuse their passwords across multiple sites, regardless of age…

The perception and knowledge of IT threats study also found that 7% of people use special tools, like LastPass, to remember their passwords. However, studies have shown that people just don’t trust password managers for them to be a viable, mainstream solution.

Passwords aren’t that secure.

As the popularity of reusing passwords indicates, passwords are not actually as secure as most companies would assume. According to a consumer survey, 36% of people only change their password once a year (or even less), which is terrifying given mandatory resets are also at play.

Speaking of mandatory resets, how effective are your calls for users to change their passwords? According to ESET & Harris Interactive Password Poll, 18% of people ignore the requests completely while 19% “sometimes change their passwords”.

When they do change their passwords due to a threat or mandatory reset, a study found that many users make small, incremental changes to their existing passwords, which doesn’t make a hacker’s job too difficult.

KoreLogic research suggests that less than 10%, and probably less than 2%, of users have passwords that are complex enough and long enough to withstand a combination of dictionary, rainbow and brute-force attacks.

But what about your password requirements? Do they help? An analysis showed that over 70% of people use simple numeric prefixes or suffixes to avoid “must contain a digit” requirements. Similarly, when a “must contain a special character” requirement is present, 30% of people will just add a single special character at the end.

Passwords are causing serious friction.

Passwords are also preventing people from making a purchase. If people attempt to recover a password while checking out on an eCommerce site, 75% won’t complete their purchase.

Additional research has found that 46% of those surveyed in the U.S. report that authentication failures have prohibited online transactions frequently or very frequently.

Image Source

study of consumer attitudes found that 67% of U.S. respondents have been locked out of an account at least once in the past two years. 54% reported waiting a long time to reset a username or password at least once in the past two years. 63% said they agree or strongly agree that failure due to a forgotten password, username or answer to a security question were the cause of authentication and identification failures.

But this isn’t a new problem.

Actually, people have been asking for alternative solutions to the traditional username and password authentication system since 2004 when 80% of workers reported being “fed up” with using passwords and 92% said they would be more interested in using biometric technology or tokens / smartcards.

But with the growing concern over online privacy in recent years, the password problem has been brought to light again. According to YouGov Cyber Security, 61% of people are moderately to very concerned about being hacked. Another study found that 46% of U.S. respondents agree or strongly agree that they do not trust websites that rely only on passwords.

All that to say that the traditional username / password authentication system is broken in a big way. And, it seems, the only reason mainstream innovation has stalled is because companies want to do it “how it’s always been done”.

How to Optimize Password Authentication

If you want to stick with the traditional username / password authentication process, at least take the time to optimize it and improve the UX.

There are five things you can do immediately to make things easier for your visitors: limit and highlight password requirements, allow unmasking, show a strength meter, don’t make them confirm the password, and experiment with passphrases.

1. Limit requirements and make them visible.

Here’s an example of password requirements done right from Hootsuite

Three simple rules that are clearly visible the moment you select the password field. As Katie Sherwin of Nielsen Norman Group explains, this makes the process more efficient…

Katie Sherwin, Nielsen Norman Group:

“State the password requirements, and make sure that the user can see them the entire time that the field is selected. If you can successfully reduce some of the technical restrictions, you’ll have less text to display and fewer rules for the user to process, making password creation faster.” (via NN/g)

Simple, clear expectations from the beginning mean fewer errors. As a user, there’s nothing quite as annoying as typing in a password only to return three errors because you didn’t include a special character, three uppercase letters and two numbers.

2. Allow unmasking.

Here’s an example of password unmasking from MailChimp

As you can see, you can click the “Hide” text above the password field to show or hide the text in the password field.

Katie shares some device-specific unmasking best practices…

Katie Sherwin, Nielsen Norman Group:

“Allow users to unmask the password. Seeing the password will support memory and will allow users to check their work. On desktop, hide the password by default, and next to it, place a checkbox labeled Show password. On mobile devices and tablets, show the password by default and let users toggle the visibility with a Hide password control.” (via NN/g)

Passwords are often masked for added security. Someone could be looking over your shoulder or even at your phone from across the table and catch your password.

But as Luke Wroblewski explains, it really doesn’t add as much security as most companies think it does…

Luke Wroblewski, Google:

Wait… what? You’re displaying people’s passwords by default? Simply put, yes. We decided to optimize for usability and ease of log in over questionable security increases. On a touchscreen phone, its trivial to move the device out of sight of prying eyes. Or easier still to simply hit the Hide action to obscure a password.

But not that it matters, there’s a visible touch keyboard directly below the input field that highlights each key as you press it. These bits of feedback show the characters in a password at a larger size than most input fields. So in reality, the •••• characters aren’t really hiding a password from prying eyes anyway. As a result, we opted for usability improvements instead.” (via LukeW)

So, to summarize…

3. Show a strength indicator.

Below, you’ll notice that Airbnb has a password strength indictor below the field…

You’ve likely seen this time and time again. Katie explains why it’s not an outdated practice and can actually help improve security…

Katie Sherwin, Nielsen Norman Group:

“Motivate people to create better passwords by showing how secure the password is.

A study by Egelman et al. (2013) found that strength meters motivated users to create stronger passwords. Visually representing the strength of the user’s password, and showing that there is room for improvement, changes the motivation. The benefit is getting a secure password, instead of just complying with a system’s arbitrary command. It’s a slight mental shift that has a potentially large impact on security.” (via NN/g)

Often, as demonstrated in the Airbnb example above, strength indicators replace visible password requirements. This is not necessary, especially if you limited the requirements, as suggested above.

Instead, you can use them together to reduce errors while also subtly motivating people to care about their own security (vs. enforcing a ton of arbitrary requirements).

4. Don’t make people confirm.

Note that when signing up for Facebook, you don’t need to enter your password twice…

Yes, there’s power in repetition, but password confirmation fields were largely introduced due to password masking. If you followed the advice above and gave people the option to unmask their passwords, the password confirmation field might be less necessary than you think.

Jessica Enders of Formulate explains…

Jessica Enders, Formulate:

“The desire to prevent errors on forms is a good one. But given that double entry…

  • increases the workload for every single user;
  • can be bypassed by copying and pasting, or automatic form-filling tools;
  • only ensures the two fields match, not that they contain the valid information; and
  • may be seen as belittling the user;

…it is important to establish a real need before implementing double entry.” (via Formulate)

Formisimo shared a case study where they experimented with removing their password confirmation field after reading about its modern irrelevancy.

Here’s the control…

Image Source

And here’s the treatment…

Image Source

The results were impressive, to say the least…

5. Experiment with passphrases.

Take a look at Simple’s iteration on the traditional password authentication process…

Passphrases aren’t something you see often, but are certainly worth testing.

Some UX experts say that passphrases are more user-friendly because it’s simply easier to remember a series of recognizable words than random characters. Also, by default, requirements are reduced with the introduction passphrases vs. passwords.

They also contribute to improved security, though. Since passphrases are longer, they stop more brute-force attacks and the use of multiple words helps stop dictionary attacks.

Authentication Alternatives to Consider

If you’re thinking of moving away from the traditional, you have a number options, all with their own set of pros and cons.

1. Biometric Authentication

The most common example of biometric authentication is unlocking your phone with your thumb print. However, that functionality is expanding quickly. For example, Samsung Galaxy S6 is introducing biometric authentication for sites, not just hardware…

Of course, thumb prints aren’t the be-all-end-all of biometric authentication. A survey of consumer attitudes found that respondents were interested in a number of different biometric authentication methods…

In fact, 8 in 10 Brits would ditch passwords in favor of biometric security.

Even for as something as sensitive as banking, consumers are interested in biometric authentication…

Advantages…

Disadvantages…

2. 2-Factor Authentication

If you are a regular iTunes or Gmail user, you’re likely familiar with 2-factor authentication already. A password is still required, but a code is sent to a second device (e.g. your phone) for additional security. Thus, you’re notified when someone other than yourself attempts to log into your account.

The proverbial jury is still out on this one. While it undoubtedly adds security, it still requires the memorization of a password and can become annoying quickly.

On one hand, the Siber Systems RoboForm Online Security Survey found that 43.2% of people would trust a company more with their personal information if they introduced a 2-factor authentication process.

On the other, in 2013, 75% of survey respondents had never signed into a website using 2-factor authentication and 27% had decided against signing into a site with 2-factor authentication because they didn’t want to disclose their cell number and/or because they found it inconvenient.

Advantages…

Disadvantages…

3. Social (and Other Third-Party) Authentication

Social, and other third-party authentications, are growing in popularity. Twitter, Facebook, Google, LinkedIn and more offer third-party authentication options. For example, Basecamp offers the option to sign up using your Google account…

In general, people are receptive to the rise of social authentication. One survey found that 77% of people find the option helpful and appealing. 

Advantages…

Disadvantages…

4. No Password Authentication

Perhaps the most well-known example of the no password authentication is Slack. Instead of typing out your password on mobile, which can be difficult, you have the option to receive a magic link via email, which signs you in automatically…

But, of course, it’s not just Slack that’s authenticating without passwords. Status Hero uses a similar process as well…

Auth0 wrote a step-by-step guide to setting up a similar authentication process using universal links, which you can read here.

Advantages…

Disadvantages…

Conclusion

It’s time we rethink modern password UX and online authentication in general. No more doing it one way because it’s how it’s always been done.

Here’s what you need to know about the password UX problem we’re facing…

  1. Passwords are a problem because they’re hard to remember, less secure than we think, and causing serious frustration and friction.
  2. If you want to use traditional passwords, you should: limit requirements and make them visible, allow unmasking, show a strength indicator, avoid password confirmation fields, and experiment with passphrases.
  3. Biometric authentication is promising, but still in the early stages of development and implementation.
  4. 2-factor authentication can be annoying if overused, but marginally improves UX and adds a layer of security.
  5. Social (and other third-party) authentication are rising in popularity due to ease of use and implementation, but you still need a fall-back method and giving you third-party permissions might scare people off.
  6. No password authentication can be difficult to set up and support, but is easy to use and very secure.