Nano-brewed interactions: Password requirements
Small batch no. 002
Check out small batch no. 1 too!
The point of this series is to highlight the little things — those subtly annoying problems that don’t get solved because they “don’t have a big impact.” While they may not be top-of-mind, these little annoyances impede our ability to build truly delightful things.
We’ll explore some UX mosquito bites as if we’re this guy trying to wash his car:
and see if we can’t cook up a locally-grown-artisan-hand-crafted cold-pressed solution.
The subtle nuisance of the day:
Millennials have an average of 40 services registered to one email. These services hardly have the same password requirements and ask you to plug in a special character here and over 8 characters there. That’s hard for us to keep track of which ones we use where, and these services aren’t making it easy for us. When signing up for these services, they tell us the requirements, but when signing back in, there is no mention of them.
We don’t have to look hard for some sign-in offenders. Let’s check out some popular services people use.
The Worst Offense
Unclear password requirements + no mention of them on the sign-in screen.
At first glance it looks simple: 8 characters minimum, easy peasy.
Avis took progressive disclosure to a whole new level. It’s like they asked themselves: “How can we make sure everyone messes this up on the first go?”
Even now these messages are conflicting. The ‘info icon’ says I ‘should’ have an uppercase and lowercase character, while the error on the form says I ‘must’ have one of both.
But if you thought that was bad, look what happened when I tried to enter my phone number:
Any-who, let’s get to the sign up screen and see if they remind us about this jazz.
This is the kind of pattern we’re trying to break. I don’t expect them to be UX frontrunners after that sign-up process so let’s cut them some slack. Maybe after an incorrect password, they’ll remind me what I went through to create this Frankenstein’s monster.
Only after resetting my password will I get the reminder that their criteria is longer than the list of items I bring to the DMV. My favorite is when they tell me the new password I made matched my old one. Of course it did. If you told me this criteria while signing in, I would have gotten the puzzle right!
Their users are bound to fail every time, especially since car rental sign-in’s are not frequent.
Security Note
Make no mistake, exposing these criteria on the sign-in screen is NOT a security concern. They are one click behind the sign-up link; that’s public info right there. Your hacker knows about them and with such specific criteria, these bounds actually help them narrow their search. If you can’t plug in three characters in a row, neither will they. If you are limited to 20 characters, so are they, and eliminating options like that have them cracking your password faster.
As UX teams who aren’t security experts, you cannot say which of these requirements are really needed. But if your business/security requirements make your users come up with something hard to remember, you can offer them a map to your labyrinth before they jump in.
The Lesser Offense
No mention or partial mention of password requirements on the sign-in screen.
Maybe we’re too harsh on Avis. Let’s find out how some people we put on a UX pedestal, like Airbnb, handle password requirement reminders.
They do guide you through it, which is nice, but that ‘symbol’ or ‘special character’ (what people actually call them) is required, not interchangeable with a number.
However clunky, people get by just fine I’m sure. Let’s see what kind of hints we get when we try to sign-in.
I’m not reminded of any requirements so I’m thinking, maybe it’s one of my shorties cause these ‘design-centric gods’ would surely tell me otherwise. Nope it’s 8 characters, must be their only requirement cause they wouldn’t play me like that. After typing in 8 characters, I get a new and more generic error message so either they are hiding something from me, or I’m an asshole who can never remember my password. Turns out, it’s the former, and my good memory would have kicked in if they told me upfront. Maybe that fancy light up list would have helped me get there:
The Common offense
Tell me all your reqs, at least after I fail once.
This is what we see most of the time, and where Airbnb fell a bit short. I’ll try an incorrect password once and then I’ll get the reqs in an error message.
The problem here is that the hint is disclosed after I fail, while it could have been used as a friendly reminder to succeed. This helps me for sure and I’m not offended because most services do this at least — I just want to expect more from my services.
Make me smile 😊
Tell me the reqs before I fail.
Our runner up is Shopify, who tell us how to succeed. Coincidentally, they also have the most lax requirements, which I don’t have a security comment for, but I think it’s funny though that the ones who need it least have it…
I smiled a tad, but this still feels like an error out of context. I wish it looked more like a hint…
So our winner is Zeplin:
That’s good stuff. They went the extra mile to validate my email before I even finished trying to sign-in. That means they are being proactive about making sure I succeed, not fail. I wonder how they treat failure? Bright red? A big “You suck?”
I think they like me. That’s a lot more than I can say for my other services.
Zeplin, a design specing tool, knows they are ancillary in their users’ lives and identity. It’s just a tool they use at work and they don’t store sensitive data that hackers are trying so hard to get into. Maybe that’s why their only password requirement is that it’s 6+ characters…
For your users sake, know your place. I have no idea why my Jimmy Johns password is 10 times more complicated than my bank password.
Wrap Up
Make your requirements clear, and put them upfront as a hint. Don’t rely on your users to fail to understand what they are doing wrong.
Being proactive and anticipating your users’ needs earns their respect and long-term membership. That’s what this UX game is all about. No matter how small you think this nuisance is, it’s the front door of your establishment. You could hang up a sign that says GTFO and they might do just that, or you could welcome them in with open arms. And telling them to watch their step couldn’t hurt either.
Stay tuned for the next small batch of nano-brewed interactions when I tackle the UX gum-on-your-shoe that is the ‘monster navigation.’
Check out small batch no. 1 too!
