Passwords are broken: and how to fix them

I recently spent several hours one workday morning attempting to change my work password. IT had implemented new rules including a requirement that employees needed to have their computers plugged into ethernet in order to change their password. Sadly this and the arbitrary rules for how to compose a password were not communicated to employees.

I let my colleagues know, and I wrote a note on our office whiteboard to save them from repeating my mistake. But it got me thinking about passwords and what we make customers go through.

For our ecommerce platform we give customers three attempts to sign in before locking their account. The only way to unlock an account is to call customer service, likely incurring a cost to the company. Password rules were set my the security team without consideration of the overall experience. I found a stat shared by Luke Wroblewski. 75% of people who needed to recover their passwords in order to checkout never completed the purchase.

We expect people to follow complex and inconsistent password rules, to not write down or record their password, to use a different password for every site, and in some cases, particularly for employees in corporate environments, we force people to regularly change their password.

Someone might say customers should use a password manager to keep track of all their passwords, but this option requires customers to change their behaviour. And there's no guarantee the password manager app is secure.

Often in UX design we simply accept the password rules defined by another team, and we design to mitigate the rules. Why can't we circumvent those rules entirely and give customers an even stronger but usable password.

Some sites have done a lot to circumvent the password entirely, but these methods often rely heavily on email and unique authentication links requiring the email to be received on the device. Notion for example uses a memorable passphrase but still emails the code rather than let someone entered it manually.

Ideally we meet the customer where they are and allow multiple options including social sign-ins, clear and flexible rules, hints on creating secure passwords, and most of all affordance for passphrases that don't include numbers or special characters. Let's not be a barrier for our customers, especially when they're trying to give us money.