The Non-Obvious Insights Blog. Non-Obvious Insights
The Non-Obvious Insights Blog.

Dedicated To Helping Readers
Be More Interesting
Since 2004.

As Featured In:

Don't Be A Password Nazi: Rethinking Your Approach To Passwords

How many sites are you currently registered for? Unless you are particularly organized with all your sites, usernames and passwords in one place – chances are there are probably too many to count. Among those dozens or hundreds of sites, there are a select few that you access everyday and the rest fall into your own long tail of sites you have registered for but only log into infrequently. Over the last several weeks, I have found myself resetting passwords, sending reminders and guessing my own passwords for some of those sites that I don’t access that often. Along the way, I started to think about some password setting best practices that I wish sites would adopt. What if there was a best practice for setting and requiring passwords that didn’t make life harder for users?  Here are a few ideas that could be part of it:

  1. Let users choose an appropriate level of security. I understand that to access your online banking, you need to have a really secure password. The problem is that many sites take a one size fits all approach to passwords. Do we really need the same security to log in to read my subscription of the NY Times? Of course not. More sites need to consider how secure their site really needs to be, and give users more flexibility to choose any kind of password instead of doing things like requiring capital letters, numbers or changes every 3 months.
  2. Use password hints instead of just resetting. Many times, a user will know their password, they just need a hint in order to get it. For this reason, password hints can be very effective, because they are immediate and let a user get their password without submitting a form, waiting for an email, clicking a link and going through a long process to access your site.
  3. Share your syntax rules. I have one type of password I use if a site requires me to use a capital letter. I have another if a site tells me I need to do that along with a number. Sometimes, if I knew the syntax rules that a particular site used, that would be enough of a prompt for me to "remember" my password and get into the site. The most frustrating thing as a user is to go through the whole process to reset your password only to realize that you had it correct all the time, you were just forgetting to capitalize a letter.
  4. Think outside the "password." One thing that I have always loved about Priceline is after entering my email address on the site, it never asks me for my password. Instead, based on the email, the site asks my response to a personal question that I set when I first registered. As a result, I have never forgotten or had to look up my password for the site. It also makes me FAR more likely to visit that site first and return over and over – because they make it easy for me to login.

NOTEBefore I get lots of comments about how I should save my passwords through the browser so they automatically come up when I visit a site … I do that, however for sites I access infrequently sometimes these are cleared when I clear cookies or if I’m using a different computer.

15 thoughts on “Don't Be A Password Nazi: Rethinking Your Approach To Passwords”

  1. To be honest I have never really given much thought to more systematic password processes. Matters biz wise are starting to get hectic, so will have to.

    Liked the bit about syntax rules…

    Reply
  2. Another idea could be to use a password manager. I work for Passpack – an online password manage and it would solve most of these issues. It features a password generator, different levels of security encryption (which you choose) and it logs you directly into your sites with 1 Click Login.

    Hope it helps!
    Louise

    Reply
  3. Another idea could be to use a password manager. I work for Passpack – an online password manage and it would solve most of these issues. It features a password generator, different levels of security encryption (which you choose) and it logs you directly into your sites with 1 Click Login.

    Hope it helps!
    Louise

    Reply
  4. While I agree with the overall theme of the post that sites are not making it easy for users to remember passwords especially the ones used infrequently.

    I have serious reservations about sites relying on #3 and #4 to authenticate users or reset their passwords.

    On todays social web we have more information about ourselves shared than we some times know and a lot of it can also be inferred ingeniously. While most folks think about security as a physical thing and try protecting their passwords on their machine and on the wire, what many dont know is that a large number of hacks are also done by social engineering through acquaintances and friends of friends etc.

    Things like “Hints” and “Can you answer this special question” play right into that territory.

    Maybe a couple of ways of trying to provide some flexibility might be that you allow only one chance at your password hint and you have a large bag of hint questions from which users get a random subset or users can define their own secret questions. Cause if all a site offers as questions are Where were you born, whats your first school, whats your pets name etc FB has all of that 😉

    Reply
  5. While I agree with the overall theme of the post that sites are not making it easy for users to remember passwords especially the ones used infrequently.

    I have serious reservations about sites relying on #3 and #4 to authenticate users or reset their passwords.

    On todays social web we have more information about ourselves shared than we some times know and a lot of it can also be inferred ingeniously. While most folks think about security as a physical thing and try protecting their passwords on their machine and on the wire, what many dont know is that a large number of hacks are also done by social engineering through acquaintances and friends of friends etc.

    Things like “Hints” and “Can you answer this special question” play right into that territory.

    Maybe a couple of ways of trying to provide some flexibility might be that you allow only one chance at your password hint and you have a large bag of hint questions from which users get a random subset or users can define their own secret questions. Cause if all a site offers as questions are Where were you born, whats your first school, whats your pets name etc FB has all of that 😉

    Reply
  6. Totally agree about appropriate levels of security. These systems are usually produced by developers who are totally theoretical in their views on security, and do not understand that excessive security which creates barriers to users is not only a serious usability problem but a serious commercial problem.
    Security should be the minimum logically required – not over the top!

    Reply
  7. The problem with giving a user a hint instead of an offer to reset their password, is that when a user does need to reset their password, most (at least the website that I work on) has no option set up for the user to change their hint question. So if your password used to be MrFluffy and your hint was “Kitty’s name” and you changed your password to “Fido” (your ever-so generic dog’s name), your old hint question is now moot. I do think the level of severity thing is interesting though. I do agree some sites could be a little bit more lax with password restrictions.

    Reply
  8. The problem with giving a user a hint instead of an offer to reset their password, is that when a user does need to reset their password, most (at least the website that I work on) has no option set up for the user to change their hint question. So if your password used to be MrFluffy and your hint was “Kitty’s name” and you changed your password to “Fido” (your ever-so generic dog’s name), your old hint question is now moot. I do think the level of severity thing is interesting though. I do agree some sites could be a little bit more lax with password restrictions.

    Reply
  9. It’s gotten to the point where I have so many passwords and user names that I need an Excel sheet to keep track of them all. Not the safest way to organize them, I know, since they’re readily available on my laptop. But hey… at least when I’m logged off, my entire computer is username/password protected!

    These are some great ideas, I especially liked the one about setting the security level. When you need a password that includes 8 letters, a number, at least one capital letter, AND a symbol to sign up for a social media site, it’s a little overboard.

    Reply

Leave a Comment

The Non-Obvious Insights Newsletter. Non-Obvious Insights
Layer 97
The Non-Obvious Insights Newsletter
Layer 118

Skip the obvious and anticipate the future with our weekly newsletter. Join over 25,000 subscribers and start receiving the stories (and insights) you’ve been missing.

All Books

#1 WSJ & USA Today Bestselling Author

In addition to Non-Obvious Thinking, Rohit is the author of 10 books on trends, the future of business, building a more human brand with storytelling and how to create a more diverse and inclusive world.

Contact ROHIT

Have a Question or Inquiry?

Just fill out this form, and we’ll get back to you within 24 hours!

Contact

About You

What Are You Contacting Us About*:

Your Message