WebWord.com > Moving WebWord > Password Usability  (14-Aug-2001)


If you want to know when new articles go online,
subscribe to the WebWord.com Usability Newsletter!

Password Usability

Guest Article by Joshua Ledwell

Summary

Poor password usability can ruin your web registration process. While passwords are a painful fact of life, there are ways to minimize the problems that users face. This article contains suggestions on how to best collect passwords during the registration process, and it will help you determine if you should allow users to save their passwords.


Passwords Are Painful

Browsing the web ought to be fun, useful, and informative.  At websites that require password registration, however, more often the experience is slow and frustrating instead.  A poor password system at your website will stunt your new user growth and cut down how often users return to use your site. 

Why do websites make it hard for their users to use their password-protected features?  Their authors don't understand how people use passwords.  Remember this about your users: 

  • They aren't sure they're alone.  Many users are at work, or school, or somewhere else where they can't be sure if someone is looking over their shoulder as they type in a password.

  • Their passwords depend on personal information.  When you're sitting there in front of a registration form it's difficult to come up with a totally random password, so most people cast about for familiar words and numbers related to their life, their families, even their favorite TV shows. 

  • They use one password for everything.  Scary but true, the vast majority of web surfers try to use the same password wherever they register. 

  • Users hate typing in passwords.  They will almost always choose a "Save my password" option if it's available. 


Four Factors

These factors suggest some best practices for collecting passwords:

1. Cover the password field with asterisks (*) as you type.  This is standard on the Web, but it's amazing how many sites still don't cover passwords.  You'll always need a Confirm Password field, because users won't be able to tell if they make a typo. 

2. Never echo the password to the screen.  Instead, remind users of their ID and password in a "Welcome to my website!" email. 

3. The Terra.com portal uses a password-reminder trick you can adopt.  When registration is complete, Terra hides the password in a pulldown, so users can choose whether to see it again.  Don't depend on the password reminder question.  Mother's maiden name, pet's name, hometown ... they're easy for users to remember but also easy for the wrong people to guess. 



Let your users choose if it's safe to show a password reminder.


When users want a password reminder, validate them by asking for personal info they've already given you like zip code and birthday.  Then send them a totally new, randomly generated password in an email, to the address they gave you when they first registered.  This way, even if someone bluffs their way past the validation, they still won't be able to take over your users' accounts.  

You can allow users to change their passwords back once they've returned to your site.

4. Offer a Save Password feature, defaulted to save, unless your website stores sensitive information.  You have to be careful with this feature -- to decide how to use it, think about what could happen if users accidentally save their passwords on public computers. 


To Save, or Not to Save?

Default Mode

Type of Website
Save On
Example: Salon.com		 Most sites: premium articles, personalized start pages
   
Save Off
Example: Amazon.com		 E-commerce: auctions, retail, travel
   
Never Allow Save
Example: Paypal.com		 Financial: Online bank accounts, 401K statements


Always require login for users to see or update their credit card number, address or other personal info. 

Keep in mind that to your users, requiring a password is a hurdle. Set the bar low with good password usability, and your website will enjoy  repeat visitors.

   About the Author

Joshua Ledwell is Senior Producer for Direct Marketing at Terra Lycos. An Internet professional since 1996, he is a battle-scarred veteran of website usability testing, rapid prototyping, and eye tracking. 

 

What next?

Home | Services | Moving WebWord | Cool Books | Hot Web Sites | Reports
Newsletter Archive | Weblog Archive | Interviews | About WebWord

Subscribe to the Webword.com Newsletter
Receive the best free usability newsletter on the Internet.
 

Contact John S. Rhodes, the WebWord.com Editor and Webmaster

URL: http://webword.com/moving/passwords.html

© 2001 by WebWord.com. All rights reserved.
Do not reproduce or redistribute any material from this document,
in whole or in part, without explicit written permission from WebWord.com.