The password reset experience

I’ve reset nine different passwords for various websites and services in the last 3 months; that’s almost one a week. Resetting passwords is starting to be a regular part of my user experience. Everything requires a login and a password these days and although I have a password system, it breaks down a lot and I have to go around the reset loop. This often makes a quick task on a website I don’t use much a longer process. When the password setting process takes longer than the task you wanted to achieve it becomes the largest factor in that particular user journey; so it shouldn’t be overlooked.


Hardly any of your users follow recommended practices, so most must have some sort of password system (which I’ll look at in a later post) and forgetting which password or variation you used for a particular site must be very common. 


Making a good password reset loop

Because your customers will be clicking on ‘forgot password’ quite frequently, you must provide them with a great experience while they reset their password. Let’s look at six possible customer experiences:


In the ideal situation, someone remembers their password and the journey is nice and punchy:



When email validation must be used, the best experience is also the least secure; just tell me my password:



The most common process is security-centred; let the user reset the password via an email link:



The above process however can have multiple steps during the ‘reset password’ step, and it precipitates all the stress of choosing something you won’t forget again. You might even find that there is a policy preventing re-use of the password you had used one time before… overall this most common practice is a clunky and unsatisfying approach; your user might be in a funk by the time they start completing an actual worthwhile task.


The best experience is actually provided by… yourself! A user-specified security question like “Who made a great big fool of themselves with your sister at your wedding?” feels eerily like yourself talking to you from the past and is a user experience with heaps of emotional connection:


You can see that the process is contained within the host site which is a huge improvement in the user experience.


Security questions, however, aren’t very secure; I’m not sure how many people can produce a good, secure custom security question and canned questions like mothers-maiden-name or favourite things are too easy to guess from facebook and the like. People may also be as likely to forget the answer to a security question as forget a password.



The best approach is to use a user-provided user experience that can prevent forgotten passwords in the first place; a password hint:



This provides an error-preventing, user-friendly approach to reduce the need for the password reseting loop. There is of course just one huge flaw; it passes the responsibility for security to the user, who is free to write completely un-secure hints like “Your wife’s name followed by her birthday” or even the password itself (surely that might happen, if I know users?).  I use a cryptic hint that works well for me and would be happy to use that universally; but widespread use seems unlikely.


The problem of the password (reset) barrier is of course repetitive: I perform some task on one site and then I move to another site to perform some other task. The holy grail of user authentication is of course to validate once and use that across multiple sites:



This is a big effort and previous attempts (the earliest mover was probably Microsoft Passport) have not worked. Google Accounts can now sign you in to the Google world in one step. The most promising is the OpenID initiative which has lead to advances such as signing in to Flickr using your Google account. So far it seems it’s OpenID is still just a single authentication which can be re-used – a big help but not yet a single sign-on – but it’s a promising start and I encourage us all to support the effort in the hope of newer, faster technology gradually developing.


Keep the context

There is one more special case that needs extra attention: sometimes it is best not to ask for user authentication until they have already got some way into the task; maybe they have entered some text in a field, filled out a form, written a comment etc… in this case the site is usually pretty good at keeping the context after a successful login; but sometimes sites drop the ball if the user enters the password reset loop (because it has been considered as an isolated function), and the context can be lost. If you can keep some of the task-specific screen elements around the reset workflow, that’s ideal.


So let’s summarise the vital take-home points:

  • Assume people are imperfect and have loads of logins and will probably forget yours once in a while (or every time)
  • Make your password reset loop as short as possible; consider it as an important part of your customer experience
  • Use user-provided personalisation if you can (and if it’s got a reasonable chance of being secure)
  • Retain the context of what the user is doing all he way through the reset experience

The problem of the password reset experience is likely to be a problem for some time; good experiences will be un-secure and secure experiences will be un-satisfying until a universal validation technology is available. Until then people will continue with unsafe practices across multiple sites while websites continue with secure, but insular, processes.


Read Part 2 –  How do we remember passwords? 


Jonathan Duhig is a usability consultant at Objective Digital

This entry was posted in Uncategorized by Objective Experience. Bookmark the permalink.

About Objective Experience

Objective Experience is your partner for customer experience strategy, research, design and usability testing. Our team of passionate Customer Experience Consultants uncover insights from your customers to optimize customer journeys across all digital and physical channels – mobile apps, websites, systems, shopper and retail. We research on how customers interact with products, services and environments through interviews, surveys, focus groups, desk research, eye tracking and usability testing. Actionable recommendations are developed from our in-depth observations and testing. Our partners and clients come from a wide range of businesses and industries - from large financial institutions and government organisations to technical consultancies, Universities and not-for-profit businesses. Objective Digital Holdings Pty Ltd has offices in Sydney (Objective Experience Sydney) and Singapore (Objective Experience Singapore). Eye Tracking, CX, UX, Usability Testing, Shopper Research & Design Thinking across Australasia and South East Asia.

11 thoughts on “The password reset experience

  1. Don’t forget browserID (created by mozilla), I implemented it recently on an app I’m working on. I was done in a couple of hours, and I don’t have to do anything about password handling, email verification or that sort of crap. The account creation process is innocuous enough that it should not throw anybody off, although the password reset uses the email link kind…Also less privacy issues than say using your facebook or google login. Check my blog for a writeup if you’re interested.

  2. It happens because people lead very busy ljves these days and
    usually become forgetful with these things. Thus by hiring
    a experienced and professional locksmith you are able too assure off that your business aree secured and safe
    which enable you to run your business efficiently. Moreover,
    he designs and creates a unique master key foor establishments or companies like banks, jewelry shop andd malls foor safety from unauthorized personnel.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s