Secure passwords and user experience – a tricky relationship?

Hacker attacks and data leaks as well as the GDPR implementation have raised the awareness for data security issues in society. Nevertheless, only very few internet users use really secure passwords. We therefore collected some tips on how you as a company can support your customers better with dealing with personal passwords.

Status Quo: "For 90% of my accounts I use the same password."

In a qualitative study by Facit Digital on password security, the test persons stated that they had an average of 20-30 user accounts with password access. Often the same password is used for several accounts. In addition, most people note their passwords on notes, unprotected documents on their PC or in their smartphone notes. Password managers can help to remember passwords, but so far only a minority (10%) of German Internet users use them (Web.de via Statista).

It becomes particularly problematic for companies if forgetting passwords leads to customers not using their created accounts or canceling a purchase process after they have had to reset their password again.

Password UX in a few steps

There are a few things that companies can consider in order to improve the usability of login processes and avoid bounce rates.

1) Reduce and highlight password requirements

If the requirements a website imposes on a password (e.g. upper and lower case, use of symbols etc.) are displayed from the beginning, error entries can be reduced. There is nothing more annoying than having to try around several times until the password is accepted.

AirBnB clearly highlights the password requirements and displays green if they are met.

2) Enable "Show password”

The possibility of displaying the password also avoids errors and supports remembering the passwords. The experts of the Nielsen Norman Group recommend different default settings for desktop and mobile devices: On desktop you should first automatically hide passwords (i.e. instead of the actual password the known dots appear in the input field). A "Show" button next to the input field allows users to display their entries. On mobile devices, it would be better to do things the other way around: Automatically display the password and use the button to give users the option of switching to "Hide".

The registration process at Zalando on the desktop: The password is hidden by default. Users can display their password by clicking on "Show".

3) Show password strength

A password strength indicator gives users real-time feedback on their chosen passwords and motivates them to create stronger passwords. Our study on password security has shown, however, that users want transparency at this point: The display should therefore show on which parameters the strength or weakness of the selected password is based (-> combination with point 1).

A traffic light system with 3 colors informs users at Web.de about the strength of their typed password.

The display of security tips provides information about the parameters on which the strength of a password at web.de is based.

4) Give up password confirmation

Input fields in which the newly selected password is to be entered repeatedly are increasingly not recommended. Typing in passwords is cumbersome. If a password has to be entered twice, it is doubly annoying. If the password can be displayed (see point 2), users can check errors directly, which eliminates the need for duplicate entries.

5) Enable passphrases

Until now, the requirements for secure passwords were almost undisputedly based on the specifications of the US authority NIST (National Institute of Standards and Technology) from 2003: passwords as complex as possible, with upper and lower case, special characters, which are also regularly updated.

It is true that a particularly cryptic word, such as "570b%8lhZ", is harder to hack than normal words. Nevertheless, it has turned out that many of these supposed security measures lead to people not being able to remember passwords and note them down on slips of paper. If passwords are changed frequently, users tend to create simpler passwords that they can remember better. Therefore, experts increasingly recommend so-called passphrases. These are longer sentences consisting of at least three proper words. These are easier to remember. Also, long passwords (even if they are simple words) are harder to hack than short complex character combinations. According to Swedish digitization expert Thomas Baekdal, for example, it is 10 times safer to use "this is fun" as a password than "J4fS<2". Such passphrases become even more secure when fantasy words are used (e.g. "fluffy is puffy"). In this way, password requirements (see point 1) could also be further reduced without minimizing security.

NIST experts have also revised their original recommendations and published new guidelines in 2018. To support passphrases, the US authority now advises to allow up to 64 characters in a password entry field. In addition, users should no longer be arbitrarily forced to update their passwords on a regular basis. Unless there is a password violation.

6) Reconsider password-protected areas

The fact that in many situations it is not absolutely necessary to "force" the user to register is often neglected. Wherever possible, registration should always be optional. Guest checkout with optional registration on e-commerce sites simplifies the purchase process, for example. Even tailor-made offers are possible without a login process: Amazon uses cookies, for example, to show users personalized content even when they are not logged in.