The password reset experience

I've reset nine different passwords for various websites and services in the last 3 months; that's almost one a week. Resetting passwords is starting to be a regular part of my user experience. Everything requires a login and a password these days and although I have a password system, it breaks down a lot and I have to go around the reset loop. This often makes a quick task on a website I don't use much a longer process. When the password setting process takes longer than the task you wanted to achieve it becomes the largest factor in that particular user journey; so it shouldn't be overlooked.

Hardly any of your users follow recommended practices, so most must have some sort of password system (which I'll look at in a later post) and forgetting which password or variation you used for a particular site must be very common.

Making a good password reset loop

Because your customers will be clicking on 'forgot password' quite frequently, you must provide them with a great experience while they reset their password. Let's look at six possible customer experiences:

In the ideal situation, someone remembers their password and the journey is nice and punchy:

When email validation must be used, the best experience is also the least secure; just tell me my password:

The most common process is security-centred; let the user reset the password via an email link:

The above process however can have multiple steps during the 'reset password' step, and it precipitates all the stress of choosing something you won't forget again. You might even find that there is a policy preventing re-use of the password you had used one time before... overall this most common practice is a clunky and unsatisfying approach; your user might be in a funk by the time they start completing an actual worthwhile task.

The best experience is actually provided by... yourself! A user-specified security question like "Who made a great big fool of themselves with your sister at your wedding?" feels eerily like yourself talking to you from the past and is a user experience with heaps of emotional connection:

You can see that the process is contained within the host site which is a huge improvement in the user experience.

Security questions, however, aren't very secure; I'm not sure how many people can produce a good, secure custom security question and canned questions like mothers-maiden-name or favourite things are too easy to guess from facebook and the like. People may also be as likely to forget the answer to a security question as forget a password.

The best approach is to use a user-provided user experience that can prevent forgotten passwords in the first place; a password hint:

This provides an error-preventing, user-friendly approach to reduce the need for the password reseting loop. There is of course just one huge flaw; it passes the responsibility for security to the user, who is free to write completely un-secure hints like "Your wife's name followed by her birthday" or even the password itself (surely that might happen, if I know users?). I use a cryptic hint that works well for me and would be happy to use that universally; but widespread use seems unlikely.

The problem of the password (reset) barrier is of course repetitive: I perform some task on one site and then I move to another site to perform some other task. The holy grail of user authentication is of course to validate once and use that across multiple sites:

This is a big effort and previous attempts (the earliest mover was probably Microsoft Passport) have not worked. Google Accounts can now sign you in to the Google world in one step. The most promising is the OpenID initiative which has lead to advances such as signing in to Flickr using your Google account. So far it seems it's OpenID is still just a single authentication which can be re-used - a big help but not yet a single sign-on - but it's a promising start and I encourage us all to support the effort in the hope of newer, faster technology gradually developing.

Keep the context

There is one more special case that needs extra attention: sometimes it is best not to ask for user authentication until they have already got some way into the task; maybe they have entered some text in a field, filled out a form, written a comment etc... in this case the site is usually pretty good at keeping the context after a successful login; but sometimes sites drop the ball if the user enters the password reset loop (because it has been considered as an isolated function), and the context can be lost. If you can keep some of the task-specific screen elements around the reset workflow, that's ideal.

So let's summarise the vital take-home points:

Assume people are imperfect and have loads of logins and will probably forget yours once in a while (or every time)
Make your password reset loop as short as possible; consider it as an important part of your customer experience
Use user-provided personalisation if you can (and if it's got a reasonable chance of being secure)
Retain the context of what the user is doing all he way through the reset experience

The problem of the password reset experience is likely to be a problem for some time; good experiences will be un-secure and secure experiences will be un-satisfying until a universal validation technology is available. Until then people will continue with unsafe practices across multiple sites while websites continue with secure, but insular, processes.

Read Part 2 - How do we remember passwords?

Jonathan Duhig is a usability consultant at Objective Digital

Posted by Jonathan Duhig

Jan 24, 2011

Edwin said...

Actually Facebook Connect is the more popular way of single sign-on these days. I had trouble finding some recent numbers about it, but here is a small start: http://techcrunch.com/2010/01/15/twitter-facebook-connect/

Greg said...

Great read. very close to home. Got me thinking about user authenticatiion on my mobile apps.

Jan 25, 2011

Brian said...

< "Your wife's name followed by her birthday">
If it contains the year - this should be secure :)

Tom said...

I use Keepass, it works great, http://keepass.info/

Peter Joseph Solomon said...

Yes Tom is right, KeePass is a good way of "remembering" all your passwords. You can generate a password and never actually know what the password is, you just double click the password then paste it into the password box. You now only have to remember one password for KeePass.

Some sites don't even have proper "forgot password" features that work, so good article - May all developers / designers read this article.

Rob said...

For important sites that I don't log into very often, I've gotten into the habit of having a Truecrypt container file holding the passwords.

One can assume Truecrypt is safe (aside from keyloggers and the like, if that was the case you're already screwed), plus I can have wacky passwords I don't need to remember, like this; adgasd23hgio1asdjhfgklasdj245gvbioahsd6. Who's going to guess that?

Bruce said...

I started to use Facebook connect for an account, after forgetting my password, but it prompted me to allow Facebook to share all of my personal details with the site, and I wanted my login to that site to be somewhat anonymous, using a userid that most people would not automatically associate with me in web searches. So I opted out of that, and simply stopped using the account (I forgot what is was, now).

Hugh Redeemed Henry said...

Good read, as a developer it got me thinking about the importance of the password reset loop - thanks. Oh, from my own single login/signon I use lastpass - which as the name suggests is the only password I actually know - the rest are generated for me and it's synced with xmarks (firefox) http://lastpass.com/

Alex said...

"I have a password system, it breaks down a lot"
You need a new password system. If the recommended practices make people forget their passwords that often, clearly the recommended practices are broken.

Mike Homyack said...

Thanks for the write-up - you echo many of my own thoughts on passwords, etc. My personal password peeve is sites that require long passwords with complex characteristics but then, on the login screen, all they provide is a field labeled "Password:". No hint at all about the rules they enforced when you set the password in the 1st place. At that point, you try all your "regulars", a couple of your "oldies that you don't use anymore", a few wild-ass guesses... and then you enter the reset process. If they'd just reiterate their password rules on the login screen, you'd have at least a fighting chance of recreating the logic that got you to whatever you entered when you signed up!

By the way, many sites do the same obnoxious thing with your User ID... they make you use your email address when you sign up, but ask for your "Login" or "User ID" on their login form, which causes you (again) to go through all your best guesses as to what you might have used on this site. If the form said "Email Address" instead of "User ID", you wouldn't have to hit the "Forgot user name" link at all...

OldETC said...

Too many sites have passwords for nonsense. A company website for investor information doesn't need a password, nor does a blog, nor any thing resembling a blog or simply a dissemination experience. A financial site, sure, a site for any monetary or property transaction of course. A site set up for the transfer of proprietary or other specific controlled information of course, but logging in to view a catalogue, or simply to see some photos?

I find too many websites have a "me too" attitude about logging on with a password. Thus you get people reusing passwords, you get password caching schemes of various kinds and the overall security of password authentication goes down. But worse yet, with no actual verification other than the password, you really have no idea who is accessing and using that information anyway.

I don't know the answer, but a password should not be used unless it is actually protecting something.

Paul said...

True, the user experience is important, and I hate lengthy resets myself.

However, I object to showing hints, because it indicates that some hacker might have guessed a correct userid. In secure systems, you don't even want to give a hacker a hint that they are guessing correct userids ...now all they have to do is decipher the hint.

Harry said...

I'm not sure what Mordac, the preventer of information services, would have to say about all of this...

http://www.google.co.uk/images&q=mordac+dilbert

Jan 26, 2011

Ken said...

I got a "security question" about my favorite pet's name. I absolutlely know that answer. No matter what I said, it said it was wrong. If there isn't a way to force it to send an e-mail to force a password reset, I'm now stuck until I find the password. Not very happy with that situation.

David said...

I agree with Tom and Peter regarding KeePass. KeePass automatically generates a fresh strong password for each new entry. I just paste the password in and literally don't know what it is myself (unless I take the trouble to look). I use Dropbox to sync to KeePass on my Android phone so always have (encrypted) backups. If a site gives me challenge questions, I store the questions and answers in KeePass (encrypted) comments.

Jonathan Duhig said...

Thanks for all the comments:

Edwin: I haven't personally tried facebook Connect but I will have a look; I agree with Bruce that sharing my facebook data is a step to far for the sake of re-using a user authentication.

Mike: great point that telling the user what the password rules are is a very good way to help them realise what the password might be. This should be mandatory info on the Forgot Password screen. I may add that to the blog itself.

OldETC: yes there are too many passwords for too many things. I think this is the fault of spambots; user authentication is just trying to restrict access to humans only?

Paul: good point about the security of hints. Maybe sending a hint via an email or text message is the only way - but that is breaking out of the page :-(

Ken: I had a similar experience with a bank login; it turned out I was using the wrong user ID (numerical e.g. 112233657) so the security question related to someone else (in the house). I therefore blocked their account by repeatedly (belligerently) answering the security question wrong. They had to do a telephone reset :-(

KeePass: I haven't looked at that one but it sounds very like SplashID, which I will mention in my next post about how people remember passwords </shameless>

Keep the insights coming everyone - the blog is my personal experience but it looks like I might have to do a more thorough investigation.

I should also mention that OpenID is currently a really clunky user experience (as far as I have experienced it for a Flickr login) because it adds a login-with-a-login so the process involves extra windows and data transfer steps i.e. waiting a few seconds. I also found that the Google Chrome browser threw security warnings so much I stopped using Chrome for the Flickr-Google-OpenID login process.

What I envisage for the future is when I want to log in to a page I click the logo of my choice of OpenID partner (just like I click my choice of 'Share' icon on many pages these days) and I enter my login quickly which authenticates me; a bit like making a system change on a Mac - a quick authentication using my global userID-password and you're away.

James Breeze said...

@jonduhig maybe there's a business opportunity in your last para!

James Breeze liked this post.

Feb 03, 2011

Hide Matsubara said...

I would rather see a ratio of each case so that I can understand what is a major case. To me, the majority for the pass word setting is the forth one in Japan.

Feb 22, 2011

Ilian_Iliev said...

Awesome article, especialy the flow schemes.

Jay C said...

Cannot agree. From my experience, users feel more secure, when they receive an email with a specially generated link to password-reset-page.
Besides - what could be a hint to a password like "EJw9Ff7Qoc"?

Nevertheless - nice article :)

Sylke Laine liked this post.

Feb 23, 2011

Horia Dragomir liked this post.

kevin said...

openID or Facebook connect seems the way to go

Dec 26, 2011

Jonathan Foucher said...

Don't forget browserID (created by mozilla), I implemented it recently on an app I'm working on. I was done in a couple of hours, and I don't have to do anything about password handling, email verification or that sort of crap. The account creation process is innocuous enough that it should not throw anybody off, although the password reset uses the email link kind...
Also less privacy issues than say using your facebook or google login. Check my blog for a writeup if you're interested.

Understanding Usability

Fans of this post

The password reset experience

Comments (26)

Leave a comment...