As far as I’m concerned, passwords are a necessary evil: a minor inconvenience standing in the way of something I want to do. Think about the last time you had to create a password. You were probably trying to sign up for a new app, buying something cool, taking an online quiz, or trying out an online service. You may be in the middle of something exciting or just going about your day trying to take care of business, and suddenly, you’re being asked to enter your email address and to create a password. So, you enter in your go-to password (something like NeilD!amond123 or IamB@tm4n) that you created 15 years ago when you signed up for your first AOL account, and you continue on with your life. Using a password a password is the online equivalent of locking your door when you leave the house: it’s mainly a formality and a force of habit, but it makes you feel a little bit safer.
The Wall Street Journal reported that the man who created the password standards we’ve been using for the past 15 years now admits that those rules are actually not very good—they don’t create particularly secure passwords, and they are really difficult for people to understand and to follow (and then to remember the password they came up with). It’s like we installed really fancy, complicated locks on our doors, but it turns out that those locks are really hard to use and can be easily popped open with a credit card. There’s an important lesson to be learned here: When creating products, rules, and systems, it is absolutely essential to remember that those products, rules, and systems are going to be used by real people. You can design the world’s perfect rules, but if nobody wants to follow them, your efforts will go to waste. A password isn’t doing its job if it’s so complicated that you just stay logged in all the time so you don’t have to reenter it, if you have to write it on a Post-it note just to remember it, or if you have to reset your password every time you need to access a site, because you cannot seem to remember the custom password you invented to make your Venmo account "extra secure."
When it comes to online security, the main trade-off is between security and convenience. Creating a user profile and allowing companies, apps, or websites to collect and use your personal data often provides a better, more convenient user experience compared to non-personalized services. As with so many of the decisions we make, there’s a cost–benefit trade-off; however, in the case of security, the cost is often measured in psychological factors like the mental difficulty of remembering a complicated password or the test of patience involved in completing more authentication steps. There is also the discomfort that you might be revealing more information than you would prefer and the increased risk that your personal information will somehow be compromised (for instance, if the site or your computer is hacked). The benefits can take the form of a more useful, engaging product: increased personalization of the online experience or the convenience of using an app that knows your exact location.
So, how should we create passwords that retain the benefits but lower the psychological costs of using them? Here are some basic guidelines:
- Think of passwords that no one else would come up with on their own. You would not believe how many people still use "password" and "123456." (A lot!)
- Create a password that your friends could not guess and that you do not have to write down somewhere. Your birthday is not the best password, but a private nickname you have for someone is better, especially if it’s a phrase!
- Use words that are not in the dictionary. Computers get smarter day by day. Don’t make it easy for them.
- Use multiple words. Longer passwords mean more characters that a hacker has to get right.
If your company has an app or a website, how can you help your users get all the benefits while minimizing the friction points involved in creating and remembering passwords? Fors Marsh Group has conducted usability testing on password requirements for the National Institute of Standards and Technology (NIST), which recently published an updated guide on how to set password requirements that maximize security and minimize burden on users. The full report is worth a read, but we have boiled down some of their crucial advice below:
While you’re busy updating your company’s password protocols, consider reviewing and updating your whole sign-up process. This article does a great job explaining useful, effective password rules for companies, and this cartoon always makes the rounds twice a year as a helpful reminder of which types of passwords are most effective. An efficient and user-friendly sign-up process can reduce costs and ensure that you don’t lose users due to frustration with the interface. Creating a password process is only a piece of the whole experience; don’t stop halfway to the finish line!