7 user experience password frustrations and how to fix them

7 Password Creation & Recovery

FrustrationsEvery Designer Should Know About

@UserTesting | 800-903-9493 | [email protected]

http://www.usertesting.com?utm_source=slideshare&utm_medium=social&utm_campaign=Password+Frustrations

http://www.twitter.com/usertesting

mailto:sales%40usertesting.com?subject=Request%20for%20more%20info%20via%20SlideShare

7 Password Frustrations


Password creation and retrieval can be a painful activity.






What’s more, a frustrating sign-in experience can prevent users from returning to your site.

To make it easy for users to sign up and keep signing in to your site, take a look at these common user frustrations and their solutions.





Password Creation







Frustration #1:Missing instructions






It’s no fun for users to enter the password of their choice, only to receive an error message stating that the password didn’t meet the requirements, which were never described in the first place.






Solution:Make all password requirements clear from the beginning.

Be sure the requirements aren’t in the form field itself, where they will disappear when the user starts typing.






Clearly stating the requirements saves time and sanity for your users.






Password strength meters indicate whether a user has successfully met all the requirements, and they’re a good motivator to choose a strong password.






The meter on the left tells me at a glance that this short password isn’t going to cut it.






Find out what users think about your site or app’s password requirements! Watch over the shoulder of a real person as they create a password for the very first time, or attempt to navigate your password reset process.

Give UserTesting a Try







Frustration #2: Overly complex requirements






A lot of websites require passwords to contain a certain level of complexity to increase security.

Complexity alone doesn’t always make a password secure.






For example, “Orange1!” is a pretty weak password. It would be easy for a computer to crack, even though it could be difficult to remember.




https://howsecureismypassword.net/

https://howsecureismypassword.net/



Plus, complex passwords are especially irritating and difficult to type on mobile devices.

Mobile keyboards make numbers and capital

letters prone to error.






Solution:Rather than enforcing strict complexity parameters, consider using length requirements.






A Carnegie Mellon University study shows that 16-character, simple passwords perform better against brute force attacks than 8-character, complex passwords.

The effectiveness of long passwords is also illustrated by this popular cartoon.




http://users.ece.cmu.edu/~mmazurek/papers/chi2011_passwords_people.pdf

http://www.howtogeek.com/166832/brute-force-attacks-explained-how-all-encryption-is-vulnerable/

http://xkcd.com/936/



Frustration #3: What happens when the user

doesn’t follow instructions






Even if you specify the password requirements up front, some users will try to choose a password that doesn’t fit the parameters you set.






Solution:When this happens, make it easy for the user to understand and fix the error. Clearly explain which requirement was missed and what the user should do to correct it.






This error message isn’t very helpful.

How do I know what I did wrong?

With this message, I know exactly

what to fix.






Finally, if the password doesn’t meet requirements, don’t allow your signup form to erase all of the information the user entered!

It’s bad enough to get an error message for creating a weak password; it’s much worse to have to fill out every field on the form to make a second attempt.






Frustration #4: Typos in the password






If a user types in a password incorrectly, then they won’t be able to sign in with the password they thought they created.






Solution:To prevent this problem, many sites require the user to enter their chosen password twice. While this catches typos, it’s not the most pleasant user experience.






Alternatively, you can unmask the password (or at least give the user the option to do so).

It’s relatively rare for users to have their secure information stolen by a person looking over their shoulder at the moment of password creation.




http://www.nngroup.com/articles/stop-password-masking/



With an unmasked password, users can double-check to ensure they’ve entered everything correctly.






This signup form allows users to unmask the password, and it clearly shows which requirements have been met.





Password Recovery







Frustration #5: No clues about the original

password requirements






Some websites have very specific password parameters that users won’t necessarily remember when they go to sign in.






This error message doesn’t give me any specific clues about what I did wrong.






Solution:Except on sites with very high security concerns, it’s a good idea to display the password requirements after the first failed attempt at sign-in.

It’s also helpful to indicate whether the username or the password was the culprit for the failed sign-in.






Frustration #6: Unclear retrieval steps






If the user doesn’t understand what to do next, or where the password retrieval link will be sent, they’re not as likely to return to your site.

Either they’ll become irritated and avoid it on purpose, or they’ll simply give up and forget about it.






Solution:Be clear from the beginning about which email address is associated with the account.

For added security, you can mask portions of the email address, as in the following example:






Frustration #7: Emailing the forgotten password in plain text






It’s never a good idea to include a password in an email, which can easily be intercepted. It’s much more secure to send a link to reset the password.






If your site has fewer security concerns (say, a recipe sharing community) it may be tempting to think this rule shouldn’t apply.






Always consider the fact that users are especially likely to reuse weak passwords on sites like this.

A hacker who intercepted the email would likely gain the credentials for many other sites.






Besides, it’s always best to hash and salt passwords, which prevents website owners — or hackers — from “looking up” a lost password.




https://crackstation.net/hashing-security.htm


Other Considerations







It may come as no surprise that the best way to find out how users will feel about your password creation and retrieval process is—that’s right—to test it!






Users have different expectations about password requirements and usage depending on the type of website: for example, a bank vs. a social network.

To find the right balance of security and ease of use, ask users directly through surveys and user tests.






Find out what users think about your site or app’s password requirements! Watch over the shoulder of a real person as they create a password for the very first time, or attempt to navigate your password reset process.

Give UserTesting a Try





www.usertesting.com@UserTesting | 800-903-9493 | [email protected]



http://www.usertesting.com?utm_source=slideshare&utm_medium=social&utm_campaign=Lessons+Learned+from+Watching+200000+Usability+Testing+Videos+eBook



7 user experience password frustrations and how to fix them

Technology

password frustrationssolution

password frustrationsplus

astrong password

password didnt

password frustrationsclearly

password frustrationsfind

password frustrationswhats

password frustrationsits