The truth about passwords

I’m not going to count them all, but I probably have close to a hundred user accounts scattered around the Internet. And they all have usernames and passwords – too many to remember if they are all different. Luckily websites now almost all use your email as your username which really helps. But I still have far too many logins to use an individual password for every site – even though I know that password re-use is very dangerous, we all still do it.

 

Each website would recommend that people use a specific password for their service – but as soon as we admit that each user has a gazillion other logins in their life, the whole security picture starts to look a little bit more risky; I may well have found a way to remember a password like  ?lACpAs56IKMs”  but you can be sure that I use that on many, if not all the other websites I use. It’s probably the most massive point of weakness for internet security – as XKCD nicely illustrates. But it’s due to a pretty obvious user experience issue; people just can’t remember a password for every website.

 

Faced with the impossible task of remembering all that is asked of them, let’s look and the tactics people will use to try and balance security with the ability to remember all those logins:

 

1. Use the same password for everything (not recommended!)

This makes it easy to remember, but only if your password always meets the different password rules for different sites (less than 8 characters; 8 characters or more; use a mix of letters, numbers, symbols; don’t use any -or some- symbols). And if one organisation (or you) suffer a security issue that makes your password known to others, you are faced with the gargantuan problem of resetting every single password you ever use; or switching to option 2…

 

2. Use a different password for each type of service (still not recommended!)

A popular method I have observed is to use one password for your email and general web surfing, a different one for your financial services, a different one for your work systems and so on. But inevitably you end up typing in every password as you try to remember which one you used for the particular thing you want to unlock. I have watched so many people trying password after password at a login screen or dialog I know this is a common part of our experience these days. It makes you want to switch to some other option.

 

3. Write the passwords down somewhere

If recall is the problem, recording is the answer. In certain circumstances this is a highly recommended approach – for example writing your modem password on the modem. Security professionals even recommend staff use incomprehensible passwords at work and write them down in a drawer at their desk; the physical security of the building is better protection than a predictable password for an online system accessible from anywhere in the world. I see written passwords quite often in other people’s houses. But a written password for your online banking left near your home computer multiplies the risk of burglary – a bit like leaving the safe keys near the safe. I imagine the written password is a very common approach.

 

4. Let the browser remember them all for you

You can let your browser remember passwords when you log in and then the problem of remembering what you chose goes away – but only on that computer, on that browser; it’s not going to help you if you switch computers (can you migrate passwords?) or if you want to log in from somewhere else. There will always be debate about whether this method is secure or not; personally I find it worrying that the browser holds the necessary information. Firefox allows use of a Master password which is apparently more secure. I imagine this is a common tactic and probably represents reduced security.

 

5. Use a password program that remembers them all for you

This works great – I used to use SplashID which recorded all my passwords, and even generated them if I wanted. In my last blog people have mentioned KeePass as another (free) option. I guess that there’s software which would even fill in the web forms for you. I never forgot a password while I used SplashID; but then again I had to log into SplashID every single time I needed a password. And that was too much effort; faced with a password textfield I prefer just to keep typing instead of switching to another program. I’d imagine password programs are very popular amongst developers and the more technical users who realise it is the solution to the problem. But for most people, apathy will defeat utility: people will just re-use passwords they can remember. 

 

6. Use an excellent password generating system

Microsoft provides a great article explaining how to remember a really secure password like ?lACpAs56IKMs” and you can take this further by including a letters from the website name (say, first and last) so every password is different. If you are a software geek or memory genius go right ahead and use the technique yourself. In reality there’s not a lot of people who will do this.

 

7. Click on ‘Forgot password’

It’s inevitable, so if you provide a password reset loop you need to realise that it is a common and major part of your customer experience – you’d better think about the user ex
perience
because people will be using it often. 

 

 

So faced with too many passwords, the above systems are the ones I have seen/heard people using (pls comment if you have seen others). The purpose of this blog post is to point out that there are certain unchallenged assumptions about user authentication which it turns out are completely false in the real world:

  1. People generally choose secure (strong) passwords. False: strong passwords are too hard to remember
  2. People don’t re-use passwords on multiple sites. False: people have too many logins for this to be practical
  3. Each user login is only used by one person: False: many people share a single login for many users (e.g. group blogs; community groups with a shared computer; families…)

It seems that the easy systems aren’t secure, and the recommended systems aren’t usable, because they take too long or require too much remembering. User authentication is an area that requires a significant user experience breakthrough. I’m personally hoping that the elders of the Internet will be able to arrange a secure way of using the same user authentication on many sites; something like the OpenID or the Obama-backed NTSIC. As a user experience designer I’m not expert on the issues that have to be overcome but I can show you how it should look: imagine the ‘Share’ feature approach applied to user authentication: the ‘Sign in’ bar:

Signinbar

The sign-in bar presents me with a way of signing in to an infinite number of sites using a username and password I know and can remember; and even change regularly. If the security (single point of weakness), practicality (unusable by bots) and usability (speed, functionality, design) of something like this can be achieved then the technology would be meet the realities of people and the internet. 

 

Jonathan Duhig is a usability consultant at Objective Digital

Read Part 1 – The password reset experience

This entry was posted in Uncategorized by James Breeze. Bookmark the permalink.

About James Breeze

Objective Digital Holdings Pty Ltd has offices in Sydney (Objective Digital) and Singapore (Objective Asia). De-coding behavioural insights so your Customer Experiences are fantastic! Eye Tracking, CX, UX, Usability Testing, Shopper Research & Design Thinking across Australasia and South East Asia.

3 thoughts on “The truth about passwords

  1. Sean, the main reason to use different passwords for different sites is, that if a hacker gets your password he can not log-in the other sites you use. If I know your password for GMail is GM_nafa478fg it is pretty easy to go to yahoo and try YH_nafa478fg. GM, YH … are very obvious prefixes. Maybe this was just to demonstrate, but people should know what they are using :-)

  2. Heya! I hope you do not mind but I decided to submit your site:
    http://blog.objectivedigital.com/2011/01/28/how-do-we-remember-passwords/ to
    my online directory website. I used, “The truth about passwords | Understanding the User Experience” as your site title.
    I hope this is alright with you. If perhaps you’d like me to change the title or perhaps remove it entirely, contact me at adalehale@arcor.de. Many thanks.

  3. I’m not that much of a online reader to be honest but your blogs really nice, keep it up!
    I’ll go ahead and bookmark your website to come back later on. Cheers

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s