Panel from an xkcd comic about password strength.

Usability: On creating password rules

These days, everyone wants to make it clear that they’re taking security seriously. So they make each user create a password which contains at least eight characters including a lowercase letter, an uppercase letter, a number, a symbol, and some other rule that’s completely different from every other website. Then when you can’t remember your password (I know, I know, we should be using password managers and just remembering a master password) they show you the rules and make you set a new password, which can’t be the same as a previous password. Which means that next time you actually do remember your old password…

Panel from an xkcd comic about password strength.
xkcd is awesome. You should read it.

Minimum password lengths are a good idea. Expanding the character set is probably a good idea. But there’s actually a really easy way to improve usability and not tick off your customers. If I hit the “forgot password” link? Show me the password rules! I know my own thought processes; if I know what the rules are for choosing a password on your website, there’s a pretty good chance that I’ll immediately figure out what my password is rather than having to reset it with something that’s more difficult to remember. You’re not making things any easier for hackers, but you’re making it a lot easier for users.

Leave a Reply

Your email address will not be published.