There are thousands of people working in digital marketing who can talk about usability and user experience until they are blue in the face. User-friendly web design, easy-to-complete sign-up forms, articles written for people reading on mobiles etc. Why, with all this time spent on improving the user experience, all this expertise, is the internet still full of websites that ruin the whole thing when it comes to passwords?
I believe I know why. The answer may sound insulting to members of the web development community, but it’s because password management is left to coders, IT people and not to people who design user experience.
I have worked with a lot of developers – all great people. I don’t want to make them out to be bad in any way. However, if you have worked in publishing you probably have discovered that designers are often bad at spelling (how many posters, adverts, brochures or signs have you seen with typos and mistakes, because the designer’s work was not edited?).
“Password must contain a number, capital, dog’s name, an odd character and something from a foreign keyboard you don’t have.”
There was a time when a password was the choice of the user. You simply typed some characters into a box. 99.9% of people probably used an easy to remember word and 99.9% of people knew that it was a secret, so not to tell anyone.
Then, we discovered that a lot of people were using easy-to-guess words like their children’s names, or just “password”. Because of these people, website designers started adding validation techniques to make people choose passwords that are harder to guess.
All very admirable, because it made us think a bit more. Now, though, it’s getting out of hand. If I want to sign up to a site using the same password I use on many other sites, knowing it is totally secret and it is a combination of letters and numbers, why should a site tell me I can’t use it?
Why do I have to try four or five times to come up with a password that’s better than “weak”, or that contains combinations of letters I will never remember, so I will be forced to write it down somewhere – making the whole thing less secure than just using the word “password”?
Choosing a password is part of the user experience
The point of choosing and saving a password on any site is part of the user experience. Don’t leave this functionality to your developer, who often thinks of security first, user experience second.
“Let’s make sure they have to use a password they have never used before, that contains a completely random collection of letters and numbers, and then when they want to change it, let’s prevent them from using the same one twice. People won’t mind trying to submit the form 10 times – it’s all part of the fun.”
Face. Meet palm.
Further reading by other writers on the subject of password user experience
James Breeze of Objective Digital, in The Password Reset Experience, wrote, “The problem of the password reset experience is likely to be a problem for some time; good experiences will be un-secure and secure experiences will be un-satisfying until a universal validation technology is available. Until then people will continue with unsafe practices across multiple sites while websites continue with secure, but insular, processes.”
Writing on SitePoint’s website, Roman Yudkin discussed some important security features for password authentication. However, while Roman’s advice is all sound, I can’t help thinking, “So what?” All that advice does is lead developers to make it un-friendly to ordinary users who, let’s face it, only have themselves to blame if their password is easy to crack, or find. If a hacker gets into a database through a back door (wave hello to Ebay, PlayStation, LinkedIn etc), they could find out your password no matter how complicated it is.
In How to ruin a good user experience in 20 steps, Jacob Creech said, “Don’t ever limit these fields for pointless reasons. I was signing up to a site recently and came across the following error: ‘Your password must be between 6 and 8 characters.’ Ok, maybe less than 6 means the password isn’t secure enough, but I can’t have a password longer than 8 characters? Really?”