Following on from Darian’s recent blog about registration creating a barrier to usage of apps I’d like to add some of my thoughts to the arduous process of dealing with logging onto websites or apps following registration.
Having to remember multiple passwords is a fact of life for most of us now, a study a few years ago(1) showed that users typically manage about 25 accounts requiring a password. This led to the average user entering 8 passwords every day, given the expanding reach of technology this number may have since increased. Any improvements, however small, that can be made to assist the user logging on should be grasped.
I have a suggestion that will help some users remember their passwords for some websites and it is a suggestion that requires no technical development, new technology or shifting of user behaviour, just a bit of user centred thinking. When registering for a website it is common for the sign-up form to specify the password constraints e.g. must contain 8 digits, a capital and a number; however when it comes to logging back onto the site there is usually no such prompt to help steer the user in the direction of the relevant password.
See below from Google on the sign-up page:
And then nothing on the sign-in page (below left), even though they have even given you a prompt about the format of an email address is. There is still no prompt after clicking a link indicating you are having problems signing in (below right).
Another example here from Barclays Cycle Hire where you are prompted on the requirements of the password at the sign-up stage.
But then not reminded of this at the login stage:
In fact this pattern is widespread across websites.
Users prefer usability to security
Study after study(2,3 4) has shown that users prefer usability to security and select the easiest passwords they can get away with and re-use a small number of passwords over and over. It has even been argued that given the cost and benefits involved, favouring usability over security is actually rational(5). A user may have a six letter password they use when they can and also an eight letter password for when that is required and some capitalisation or number rules that can be repeated when demanded. When a user visits a website where they aren’t sure what the password is they are faced with some choices:
- Guess which of their passwords is needed
- Request a password reset
- Leave the website
Having to type in password after password is clearly not desirable. Neither is requesting a password reset, which may involve multiple steps, and also potentially having to think of a new password thus contributing to the overall password burden. And obviously just leaving the site benefits no-one.
Small changes can significantly improve usability
Giving the user a little help by indicating any password constraints at the login stage can reduce the number of possible passwords the user might need to try thus increasing the chances they will attempt a login. It can also convey to the user that you’ve thought about them and are trying to help, rather than leaving them staring at this blank field with no memory cues. A six letter password with no other constraints is common practice so this approach would mostly benefit those websites which impose greater constraints such as the inclusion of capitalisation or digits. Why don’t websites already do this, who can tell, lack of thought, designers blindly following other sites or perhaps it’s the security department not wanting to help ‘hackers’ by providing more information. Although this last point is an impotent argument as any self-respecting hacker would just go to the registration page to see if there are any constraints on the password.
If you do find sites which help users with a prompt then be sure to submit it to LittleBigDetails.com.
(1) Florêncio, D. & Herley, C. (2007). A large-scale study of web password habits. WWW 2007/Track: Security, Privacy, Reliability and Ethics. Session: Passwords and Phishing, 90, 657-665.
(2) Adams, A. & Sasse, M.A. (1999). Users are not the enemy. Communications of the ACM, 42, 41-46.
(3) Imperva (n.d.). Consumer password worst practices. Retrieved 01 June 2010 from
(4) Sasse, M.A., Brostoff, S. & Weirich, D. (2001). Transforming the ‘weakest link’ – a human/computer interaction approach to usable and effective security. BT Technology Journal, 19, 122-131.
(5) Herley, C. (2009). So long, and no thanks for the externalities: the rational rejection of security advice by users. In New Security Paradigms Workshop, 133-144.