7 Password Creation & Recovery Frustrations Every Designer Should Know About
Let me tell you about the most frustrating user experience I’ve ever had -- and how it can impact your website.
I attempted to sign in to a site that I hadn’t visited in a while. I thought I must have used the same, not-very-secure password I’m guilty of using for a lot of my less-important accounts. (Let’s just pretend my terrible password was the word “orange.”) But I was wrong.
So I entered “Orange,” “orange1,” and “Orange1” before giving up, clicking the link to reset the password, and crossing my fingers.
The site told me it had sent an email with a reset link to my email address on file, so I went to my inbox and waited for 10 minutes for the email to arrive. That's when it hit me.
My email address on file must have been my old one -- which I haven’t used in years.
Eventually, I got into the email account, clicked the reset link, and was prompted to create a new password. That’s when I learned that the password requirements included a special symbol ($,!, &, and so on). At that point, I remembered that I had, in fact, used the same dumb password I use for everything; I had just added an “!” at the end.
Password creation and retrieval can be a painful activity.
What’s more, a frustrating sign-in experience can prevent users from returning to your site.
While password creation might seem like a minor issue, it can make or break the experience for the user (which equals conversions for you). To make it easy for users to sign up and keep signing in to your site, take a look at these common user frustrations and their solutions.
Frustration #1: Missing instructions
It’s no fun for users to enter the password of their choice, only to receive an error message stating that the password didn’t meet the requirements, which were never described in the first place. If users get frustrated and give up this early in the process, then they probably won't return.
Solution: Make all password requirements clear from the beginning. Be sure the requirements aren’t in the form field itself, where they will disappear when the user starts typing.
Clearly stating the requirements saves time and sanity for your users.
Password strength meters indicate whether the user has successfully met all the requirements, and they're a good motivator to choose a strong password.
The meter on the left tells me at a glance that this short password isn't going to cut it.
Frustration #2: Overly complex requirements
Let’s take a minute to talk about those password requirements.
A lot of websites require passwords to contain a certain level of complexity to increase security. However, complexity alone doesn’t always make a password secure. For example, “Orange1!” is a pretty weak password. It would be easy for a computer to crack, even though it was difficult for me to remember.
Plus, complex passwords are especially irritating and difficult to type on mobile devices.
Mobile keyboards make numbers and capital letters prone to error.
Solution: Rather than enforcing strict complexity parameters, consider using length requirements. A Carnegie Mellon University study shows that 16-character, simple passwords perform better against brute force attacks than 8-character, complex passwords.
(The effectiveness of long passwords is also illustrated by this popular cartoon.)
Frustration #3: What happens when the user doesn’t follow instructions
Even if you specify the password requirements up front, some users will try to choose a password that doesn’t fit the parameters you set.
Solution: When this happens, make it easy for the user to understand and fix the error. Clearly explain which requirement was missed and what the user should do to correct it.
This error message isn’t very helpful. How do I know what I did wrong?
With this message, I know exactly what to fix.
Finally, if the password doesn’t meet requirements, don’t allow your signup form to erase all of the information the user entered! It’s bad enough to get an error message for creating a weak password; it’s much worse to have to fill out every field on the form to make a second attempt.
Frustration #4: Typos in the password
If a user types in a password incorrectly, then they won’t be able to sign in with the password they thought they created.
Solution: To prevent this problem, many sites require the user to enter their chosen password twice. While this catches typos, it’s not the most pleasant user experience.
Alternatively, you can unmask the password (or at least give the user the option to do so). It’s relatively rare for users to have their secure information stolen by a person looking over their shoulder at the moment of password creation. With an unmasked password, users can double-check to ensure they’ve entered everything correctly.
This signup form allows users to unmask the password, and it clearly shows which requirements have been met.
Frustration #5: No clues about the original password requirements
As was the case in my sad story above, some websites have very specific password parameters that users won’t necessarily remember when they go to sign in.
This error message doesn't give me any specific clues about what I did wrong.
Solution: Except on sites with very high security concerns, it's a good idea to display the password requirements after the first failed attempt at sign-in. It's also helpful to indicate whether the username or the password was the culprit for the failed sign-in.
Frustration #6: Unclear retrieval steps
If the user doesn’t understand what to do next, or where the password retrieval link will be sent, they’re not as likely to return to your site. Either they’ll become irritated and avoid it on purpose, or they’ll simply give up and forget about it.
Solution: Be clear from the beginning about which email address is associated with the account. For added security, you can mask portions of the email address, as in the example below.
Frustration #7: Emailing the forgotten password in plain text
It’s never a good idea to include a password in an email, which can easily be intercepted. It’s much more secure to send a link to reset the password.
If your site has fewer security concerns (say, a recipe sharing community) it may be tempting to think this rule shouldn’t apply. But consider the fact that users are especially likely to reuse weak passwords on sites like this. So a hacker who intercepted the email would likely gain the credentials for many other sites.
Besides, it’s always best to hash and salt passwords, which prevents website owners -- or hackers -- from “looking up” a lost password.
It may come as no surprise that the best way to find out how users will feel about your password creation and retrieval process is -- that’s right -- to test it!
Users have different expectations about password requirements and usage depending on the type of website: for example, a bank vs. a social network. To find the right balance of security and ease of use, ask users directly through surveys and user tests.
And as for my password problem? I finally decided to give up using the same old, weak password for everything. Instead, I switched to a password manager that lets me create and keep track of fantastically complex and secure passwords.
What do you do to make password creation and retrieval as painless as possible? Add your thoughts in the comments below!
Insights that drive innovation
Get our best human insight resources delivered right to your inbox every month. As a bonus, we'll send you our latest industry report: When business is human, insights drive innovation.