Connect with your exact customers
See, hear, and talk to your customers
Uncover insights about any experience
Share key insights across your organization
It’s no fun for users to enter the password of their choice, only to receive an error message stating that the password didn’t meet the requirements, which were never described in the first place. If users get frustrated and give up this early in the process, then they probably won't return.
Solution: Make all password requirements clear from the beginning. Be sure the requirements aren’t in the form field itself, where they will disappear when the user starts typing.[caption id="attachment_17492" align="alignnone" width="630"] Clearly stating the requirements saves time and sanity for your users.[/caption]
Password strength meters indicate whether the user has successfully met all the requirements, and they're a good motivator to choose a strong password.[caption id="attachment_17493" align="alignnone" width="630"] The meter on the left tells me at a glance that this short password isn't going to cut it.[/caption]
Let’s take a minute to talk about those password requirements.A lot of websites require passwords to contain a certain level of complexity to increase security. However, complexity alone doesn’t always make a password secure. For example, “Orange1!” is a pretty weak password. It would be easy for a computer to crack, even though it was difficult for me to remember. Plus, complex passwords are especially irritating and difficult to type on mobile devices. [caption id="attachment_17500" align="aligncenter" width="265"] Mobile keyboards make numbers and capital letters prone to error.[/caption]Solution: Rather than enforcing strict complexity parameters, consider using length requirements. A Carnegie Mellon University study shows that 16-character, simple passwords perform better against brute force attacks than 8-character, complex passwords.
(The effectiveness of long passwords is also illustrated by this popular cartoon.)
Even if you specify the password requirements up front, some users will try to choose a password that doesn’t fit the parameters you set.Solution: When this happens, make it easy for the user to understand and fix the error. Clearly explain which requirement was missed and what the user should do to correct it. [caption id="attachment_17496" align="aligncenter" width="385"] This error message isn’t very helpful. How do I know what I did wrong?[/caption] [caption id="attachment_17497" align="aligncenter" width="324"] With this message, I know exactly what to fix.[/caption] Finally, if the password doesn’t meet requirements, don’t allow your signup form to erase all of the information the user entered! It’s bad enough to get an error message for creating a weak password; it’s much worse to have to fill out every field on the form to make a second attempt.
If a user types in a password incorrectly, then they won’t be able to sign in with the password they thought they created.Solution: To prevent this problem, many sites require the user to enter their chosen password twice. While this catches typos, it’s not the most pleasant user experience. Alternatively, you can unmask the password (or at least give the user the option to do so). It’s relatively rare for users to have their secure information stolen by a person looking over their shoulder at the moment of password creation. With an unmasked password, users can double-check to ensure they’ve entered everything correctly. [caption id="attachment_17499" align="aligncenter" width="444"] This signup form allows users to unmask the password, and it clearly shows which requirements have been met.[/caption]
As was the case in my sad story above, some websites have very specific password parameters that users won’t necessarily remember when they go to sign in.[caption id="attachment_17505" align="aligncenter" width="301"] This error message doesn't give me any specific clues about what I did wrong.[/caption]Solution: Except on sites with very high security concerns, it's a good idea to display the password requirements after the first failed attempt at sign-in. It's also helpful to indicate whether the username or the password was the culprit for the failed sign-in.
If the user doesn’t understand what to do next, or where the password retrieval link will be sent, they’re not as likely to return to your site. Either they’ll become irritated and avoid it on purpose, or they’ll simply give up and forget about it.Solution: Be clear from the beginning about which email address is associated with the account. For added security, you can mask portions of the email address, as in the example below.
It’s never a good idea to include a password in an email, which can easily be intercepted. It’s much more secure to send a link to reset the password.If your site has fewer security concerns (say, a recipe sharing community) it may be tempting to think this rule shouldn’t apply. But consider the fact that users are especially likely to reuse weak passwords on sites like this. So a hacker who intercepted the email would likely gain the credentials for many other sites. Besides, it’s always best to hash and salt passwords, which prevents website owners -- or hackers -- from “looking up” a lost password.
Get our best human insight resources delivered to your inbox every month. As a bonus, we'll send you our latest industry report, The rise of the Experience Economy!