How many sites are you currently registered for? Unless you are particularly organized with all your sites, usernames and passwords in one place – chances are there are probably too many to count. Among those dozens or hundreds of sites, there are a select few that you access everyday and the rest fall into your own long tail of sites you have registered for but only log into infrequently. Over the last several weeks, I have found myself resetting passwords, sending reminders and guessing my own passwords for some of those sites that I don’t access that often. Along the way, I started to think about some password setting best practices that I wish sites would adopt. What if there was a best practice for setting and requiring passwords that didn’t make life harder for users? Here are a few ideas that could be part of it:
- Let users choose an appropriate level of security. I understand that to access your online banking, you need to have a really secure password. The problem is that many sites take a one size fits all approach to passwords. Do we really need the same security to log in to read my subscription of the NY Times? Of course not. More sites need to consider how secure their site really needs to be, and give users more flexibility to choose any kind of password instead of doing things like requiring capital letters, numbers or changes every 3 months.
- Use password hints instead of just resetting. Many times, a user will know their password, they just need a hint in order to get it. For this reason, password hints can be very effective, because they are immediate and let a user get their password without submitting a form, waiting for an email, clicking a link and going through a long process to access your site.
- Share your syntax rules. I have one type of password I use if a site requires me to use a capital letter. I have another if a site tells me I need to do that along with a number. Sometimes, if I knew the syntax rules that a particular site used, that would be enough of a prompt for me to "remember" my password and get into the site. The most frustrating thing as a user is to go through the whole process to reset your password only to realize that you had it correct all the time, you were just forgetting to capitalize a letter.
- Think outside the "password." One thing that I have always loved about Priceline is after entering my email address on the site, it never asks me for my password. Instead, based on the email, the site asks my response to a personal question that I set when I first registered. As a result, I have never forgotten or had to look up my password for the site. It also makes me FAR more likely to visit that site first and return over and over – because they make it easy for me to login.
NOTE – Before I get lots of comments about how I should save my passwords through the browser so they automatically come up when I visit a site … I do that, however for sites I access infrequently sometimes these are cleared when I clear cookies or if I’m using a different computer.
#3 is by far the best one here. It is extremely frustrating. Well said overall.
#3 is by far the best one here. It is extremely frustrating. Well said overall.
To be honest I have never really given much thought to more systematic password processes. Matters biz wise are starting to get hectic, so will have to.
Liked the bit about syntax rules…
Another idea could be to use a password manager. I work for Passpack – an online password manage and it would solve most of these issues. It features a password generator, different levels of security encryption (which you choose) and it logs you directly into your sites with 1 Click Login.
Hope it helps!
Louise
Another idea could be to use a password manager. I work for Passpack – an online password manage and it would solve most of these issues. It features a password generator, different levels of security encryption (which you choose) and it logs you directly into your sites with 1 Click Login.
Hope it helps!
Louise
While I agree with the overall theme of the post that sites are not making it easy for users to remember passwords especially the ones used infrequently.
I have serious reservations about sites relying on #3 and #4 to authenticate users or reset their passwords.
On todays social web we have more information about ourselves shared than we some times know and a lot of it can also be inferred ingeniously. While most folks think about security as a physical thing and try protecting their passwords on their machine and on the wire, what many dont know is that a large number of hacks are also done by social engineering through acquaintances and friends of friends etc.
Things like “Hints” and “Can you answer this special question” play right into that territory.
Maybe a couple of ways of trying to provide some flexibility might be that you allow only one chance at your password hint and you have a large bag of hint questions from which users get a random subset or users can define their own secret questions. Cause if all a site offers as questions are Where were you born, whats your first school, whats your pets name etc FB has all of that 😉
While I agree with the overall theme of the post that sites are not making it easy for users to remember passwords especially the ones used infrequently.
I have serious reservations about sites relying on #3 and #4 to authenticate users or reset their passwords.
On todays social web we have more information about ourselves shared than we some times know and a lot of it can also be inferred ingeniously. While most folks think about security as a physical thing and try protecting their passwords on their machine and on the wire, what many dont know is that a large number of hacks are also done by social engineering through acquaintances and friends of friends etc.
Things like “Hints” and “Can you answer this special question” play right into that territory.
Maybe a couple of ways of trying to provide some flexibility might be that you allow only one chance at your password hint and you have a large bag of hint questions from which users get a random subset or users can define their own secret questions. Cause if all a site offers as questions are Where were you born, whats your first school, whats your pets name etc FB has all of that 😉
I read this post yesterday and have some pretty strong reservations about the suggestions. I wrote about it but it seems trackbacks aren’t working?
Anyway, you can find it at: https://digitaltumbleweed.com/2008/07/02/and-your-password-isn4z/
I read this post yesterday and have some pretty strong reservations about the suggestions. I wrote about it but it seems trackbacks aren’t working?
Anyway, you can find it at: https://digitaltumbleweed.com/2008/07/02/and-your-password-isn4z/
Totally agree about appropriate levels of security. These systems are usually produced by developers who are totally theoretical in their views on security, and do not understand that excessive security which creates barriers to users is not only a serious usability problem but a serious commercial problem.
Security should be the minimum logically required – not over the top!
More websites should have a personal questions…perhaps it would be more secure. We tend to use similar passwords for just about everything which is certainly not secure! We’re a creature of habit!
More websites should have a personal questions…perhaps it would be more secure. We tend to use similar passwords for just about everything which is certainly not secure! We’re a creature of habit!
The problem with giving a user a hint instead of an offer to reset their password, is that when a user does need to reset their password, most (at least the website that I work on) has no option set up for the user to change their hint question. So if your password used to be MrFluffy and your hint was “Kitty’s name” and you changed your password to “Fido” (your ever-so generic dog’s name), your old hint question is now moot. I do think the level of severity thing is interesting though. I do agree some sites could be a little bit more lax with password restrictions.
The problem with giving a user a hint instead of an offer to reset their password, is that when a user does need to reset their password, most (at least the website that I work on) has no option set up for the user to change their hint question. So if your password used to be MrFluffy and your hint was “Kitty’s name” and you changed your password to “Fido” (your ever-so generic dog’s name), your old hint question is now moot. I do think the level of severity thing is interesting though. I do agree some sites could be a little bit more lax with password restrictions.
It’s gotten to the point where I have so many passwords and user names that I need an Excel sheet to keep track of them all. Not the safest way to organize them, I know, since they’re readily available on my laptop. But hey… at least when I’m logged off, my entire computer is username/password protected!
These are some great ideas, I especially liked the one about setting the security level. When you need a password that includes 8 letters, a number, at least one capital letter, AND a symbol to sign up for a social media site, it’s a little overboard.