Monday, January 23, 2012

How Password Reset Screens Should Work

There is a long literature on how the password requirements for most websites are ridiculous - they make life hard for users without actually making it that hard for people to crack. There was a great xkcd comic about this which covers the flavour of the problem.

In order to stop random cracking attempts, websites tend to make the following requirements

1. Lock out the user for [some period, e.g. 1 hour] after [N, usually 3] incorrect password attempts

2. Make a requirement about password length and certain characters.

So far, so annoying, but fairly manageable.

Let's assume that the website in question has a lockout attempt at 3 attempts. The problem arises because websites pick different versions of #2. I've come across:
-At least 6 letters
-At least 6 letters and at least one number
-At least 6 letters and at least two numbers
-At least 6 letters and one special character
-At least 8 letters and a number
-At least 8 letters and a special character
-Exactly 8 characters, including [some combination of the above]
-At least 6 letters, no special characters allowed.

One salient feature of the list - it's got more than three options.

Now, it seems that lots of people generate variants of the same password for each case, depending on the requirement. Give them the requirement, and they know what the password is.

But if you've got a slightly odd password requirement, the vast majority of my incorrect password attempts are me trying to remember what your damn password restriction is!

So what happens is that I'll try the most common case. Wrong. I'll think 'Hmm, does it need a special character' and try that. No luck. And now I can try a third time and risk having to wait an hour, or I can go through another pointless password reset. Sigh.

And there's absolutely no need to do this. It doesn't make life much easier for the hacker to know the requirements.

I'm pretty sure that Progressive Insurance has some bizarre requirement that I keep forgetting, because I think I need to reset my password just about every time I need to log in. Great customer experience, chaps!

So I really wish that more websites would follow Expedia's sterling example:

I dare the system admins to try this, and see how many fewer times the password reset function is used. If you've got a requirement of special characters or two numbers, I'm ballparking that the number of password resets will probably drop at least 80%.

No comments:

Post a Comment