I’m not going to count them all, but I probably have close to a hundred user accounts scattered around the Internet. And they all have usernames and passwords – too many to remember if they are all different. Luckily websites now almost all use your email as your username which really helps. But I still have far too many logins to use an individual password for every site – even though I know that password re-use is very dangerous, we all still do it.
Each website would recommend that people use a specific password for their service – but as soon as we admit that each user has a gazillion other logins in their life, the whole security picture starts to look a little bit more risky; I may well have found a way to remember a password like ?lACpAs56IKMs” but you can be sure that I use that on many, if not all the other websites I use. It’s probably the most massive point of weakness for internet security – as XKCD nicely illustrates. But it’s due to a pretty obvious user experience issue; people just can’t remember a password for every website.
Faced with the impossible task of remembering all that is asked of them, let’s look and the tactics people will use to try and balance security with the ability to remember all those logins:
1. Use the same password for everything (not recommended!)
This makes it easy to remember, but only if your password always meets the different password rules for different sites (less than 8 characters; 8 characters or more; use a mix of letters, numbers, symbols; don’t use any -or some- symbols). And if one organisation (or you) suffer a security issue that makes your password known to others, you are faced with the gargantuan problem of resetting every single password you ever use; or switching to option 2…
2. Use a different password for each type of service (still not recommended!)
A popular method I have observed is to use one password for your email and general web surfing, a different one for your financial services, a different one for your work systems and so on. But inevitably you end up typing in every password as you try to remember which one you used for the particular thing you want to unlock. I have watched so many people trying password after password at a login screen or dialog I know this is a common part of our experience these days. It makes you want to switch to some other option.
3. Write the passwords down somewhere
If recall is the problem, recording is the answer. In certain circumstances this is a highly recommended approach – for example writing your modem password on the modem. Security professionals even recommend staff use incomprehensible passwords at work and write them down in a drawer at their desk; the physical security of the building is better protection than a predictable password for an online system accessible from anywhere in the world. I see written passwords quite often in other people’s houses. But a written password for your online banking left near your home computer multiplies the risk of burglary – a bit like leaving the safe keys near the safe. I imagine the written password is a very common approach.
4. Let the browser remember them all for you
You can let your browser remember passwords when you log in and then the problem of remembering what you chose goes away – but only on that computer, on that browser; it’s not going to help you if you switch computers (can you migrate passwords?) or if you want to log in from somewhere else. There will always be debate about whether this method is secure or not; personally I find it worrying that the browser holds the necessary information. Firefox allows use of a Master password which is apparently more secure. I imagine this is a common tactic and probably represents reduced security.
5. Use a password program that remembers them all for you
This works great – I used to use SplashID which recorded all my passwords, and even generated them if I wanted. In my last blog people have mentioned KeePass as another (free) option. I guess that there’s software which would even fill in the web forms for you. I never forgot a password while I used SplashID; but then again I had to log into SplashID every single time I needed a password. And that was too much effort; faced with a password textfield I prefer just to keep typing instead of switching to another program. I’d imagine password programs are very popular amongst developers and the more technical users who realise it is the solution to the problem. But for most people, apathy will defeat utility: people will just re-use passwords they can remember.
6. Use an excellent password generating system
Microsoft provides a great article explaining how to remember a really secure password like ?lACpAs56IKMs” and you can take this further by including a letters from the website name (say, first and last) so every password is different. If you are a software geek or memory genius go right ahead and use the technique yourself. In reality there’s not a lot of people who will do this.
7. Click on ‘Forgot password’
It’s inevitable, so if you provide a password reset loop you need to realise that it is a common and major part of your customer experience – you’d better think about the user ex
perience because people will be using it often.
So faced with too many passwords, the above systems are the ones I have seen/heard people using (pls comment if you have seen others). The purpose of this blog post is to point out that there are certain unchallenged assumptions about user authentication which it turns out are completely false in the real world:
- People generally choose secure (strong) passwords. False: strong passwords are too hard to remember
- People don’t re-use passwords on multiple sites. False: people have too many logins for this to be practical
- Each user login is only used by one person: False: many people share a single login for many users (e.g. group blogs; community groups with a shared computer; families…)
It seems that the easy systems aren’t secure, and the recommended systems aren’t usable, because they take too long or require too much remembering. User authentication is an area that requires a significant user experience breakthrough. I’m personally hoping that the elders of the Internet will be able to arrange a secure way of using the same user authentication on many sites; something like the OpenID or the Obama-backed NTSIC. As a user experience designer I’m not expert on the issues that have to be overcome but I can show you how it should look: imagine the ‘Share’ feature approach applied to user authentication: the ‘Sign in’ bar:
The sign-in bar presents me with a way of signing in to an infinite number of sites using a username and password I know and can remember; and even change regularly. If the security (single point of weakness), practicality (unusable by bots) and usability (speed, functionality, design) of something like this can be achieved then the technology would be meet the realities of people and the internet.