Strong P@$$W0rdS – Why They Complicate the User Experience
User names and passwords are an annoying but necessary evil. In the old days, the only password we needed was an ATM PIN. Coming up with a PIN was a chore, but it pales in comparison to what we have to go through today. Is this preoccupation with passwords really making us safer and is it worth the decrease in usability?
How Many Passwords?
How many passwords does the average person have? Here’s a conservative list:
- ATM PIN
- Web Email
- Job Network
- Online Retail
- Brokerage accounts (IRAs 401K, Pension Funds, etc.)
- Social Networking (Facebook, Instant Messenger, etc.)
- Online insurance/medical
A quick count makes eight user name/password combinations. If you add secondary email, retail accounts, and school you could easily reach double digits.
Password Requirements and Security
It’s bad enough that we have to remember a dozen passwords, but to make matters worse Web sites have different policies that further reduce usability.
- Password Length – Most sites require a minimum of six characters (some require more)
- Strong Passwords – A strong password requires a combination of lower and uppercase letters, numbers, and special characters
- Character Usage – Some sites exclude special characters, but require lower and uppercase letters and at least one number. Some sites require only letters, no numbers, and no special characters, etc.
- Password Retrieval – If you forget a password, some sites don’t allow you to reuse passwords
- Password Masking – This is where the characters in the password field display as bullets or asterisks. This is to protect the user from snoopers stealing the password
Why the Polices Don’t Work and Reduce Usability
A recent article by Lyle Mullican notes that security obtained though the use of passwords is dependent on two assumptions:
- A password will never be visible outside the mind of the person who created it.
- Both the user name and password can be recalled from memory when needed.
Given the number of passwords an active Internet user has to manage, there is no guarantee that they can recall the password when needed. Users will often write them down either physically or digitally, which makes it visible outside the mind’s eye.
If a password is saved in the browser, it’s essentially the same as not having a password at all. Anyone on the computer can access the data. There are services that store passwords, but those, of course, require a password, and they aren’t supported by all sites. Using the same user name and password repeatedly is one way to handle the problem, but that’s also a security violation. Some users have a set of two or three user name/password combinations, but this strategy can be upset by sites with overly strong password requirements or restrictive password retrieval policies.
Jakob Nielsen’s article addressing the use of Password Masking argues that it doesn’t work and reduces usability; the lost productivity and frustration add up over time. He states:
1) A skilled thief can simply watch the keyboard as you type, memorizing the password
2) Less skilled users can easily get lost, forcing them to start again
3) It’s rare for users to be in an environment where people are actively snooping
The Real Dangers
The idea that strong passwords prevent hackers from accessing sensitive information is almost certainly a fallacy. Almost all IT security breaches are the result of social engineering. Social engineering is: “the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques.” The remaining incidents can be attributed to someone with critical inside knowledge. The takeaway: there’s no need to steal passwords or break into systems if you can get someone to hand over the keys.
Suggested Password Usability Guidelines
Here are some guidelines when designing Web login functionality:
- Password Creation Guidelines – Promote standard password creation guidelines, e.g., avoid common names, birth dates, phone numbers, pet names, SS numbers, etc.
- Character Count – Do not require any more than six characters.
- Character Type – Allow users to use letters, numbers, and special characters but don’t make them required.
- Stop Masking – Eliminate the current masking approach, and simply let the user see what they type. The security implications are minimal, and the increase in usability and efficiency outweighs the dangers.
- Optional Masking – A great compromise is to allow users to decide whether they want their password masked or not. This is done using a check box below the password field that users can toggle on or off.
- Show Last Letter – In this environment, the field displays the last character typed but hides previously typed characters. The user can see the last character they typed and make adjustments as needed.
- Password Recovery – Aside from making the password retrieval process painless (a separate issue), allow users to reset their password without restrictions.
Though developers and IT professionals will continue to insist on the use of ridiculous über strong passwords with special characters, letters, and numbers, we as UI professionals know better. Password protocols are a trade-off between usability and security. Following some simple guidelines can improve usability and still maintain system security.
(11/09/2010) I recently had to switch 401K providers and so had to set up a new user account. I dutifully selected a new password and it was promptly rejected. Why, you ask? Because it was more than 8 characters long! Why on earth would they set an 8 character limit?
If my password is longer it should, by default, be stronger. If I forget it I can always retrieve it. Because I had to come up with yet another unique password, my user experience was compromised for no good reason at all. And I had to complete some fields twice. And it aggravated me…a lot! Arrrrggghhh! Is there no justice? Fin.
“Please Do Not Change Your Password”
“Choosing and Protecting Passwords”
“The Problem with Passwords” by Lyle Mullican
“Stop Password Masking,” Jakob Nielsen’s Alertbox, June 23, 2009
Social Engineering (security)
Terminated Employee Hacks His Way Back In
“The Dramatic Password Reveal,” Jeff Atwood, Feb 11, 2008
“So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users” Cormac Herley, NSPW 2009, Oxford
Microsoft Password Checker – This epitomizes how ridiculous it is to expect the average user to come up with, much less remember, a “strong” password.
“Are you password protected?” by Jodie Humphries – An analysis of 32 million passwords exposed in a security breach “provides further proof that consumers routinely use easy-to-guess login credentials.” Of course, the passwords were obtained through a hack, so even if they were strong it would have made no difference. Still a good read: