I’ve reset nine different passwords for various websites and services in the last 3 months; that’s almost one a week. Resetting passwords is starting to be a regular part of my user experience. Everything requires a login and a password these days and although I have a password system, it breaks down a lot and I have to go around the reset loop. This often makes a quick task on a website I don’t use much a longer process. When the password setting process takes longer than the task you wanted to achieve it becomes the largest factor in that particular user journey; so it shouldn’t be overlooked.
Hardly any of your users follow recommended practices, so most must have some sort of password system (which I’ll look at in a later post) and forgetting which password or variation you used for a particular site must be very common.
Making a good password reset loop
Because your customers will be clicking on ‘forgot password’ quite frequently, you must provide them with a great experience while they reset their password. Let’s look at six possible customer experiences:
In the ideal situation, someone remembers their password and the journey is nice and punchy:
When email validation must be used, the best experience is also the least secure; just tell me my password:
The most common process is security-centred; let the user reset the password via an email link:
The above process however can have multiple steps during the ‘reset password’ step, and it precipitates all the stress of choosing something you won’t forget again. You might even find that there is a policy preventing re-use of the password you had used one time before… overall this most common practice is a clunky and unsatisfying approach; your user might be in a funk by the time they start completing an actual worthwhile task.
The best experience is actually provided by… yourself! A user-specified security question like “Who made a great big fool of themselves with your sister at your wedding?” feels eerily like yourself talking to you from the past and is a user experience with heaps of emotional connection:
You can see that the process is contained within the host site which is a huge improvement in the user experience.
Security questions, however, aren’t very secure; I’m not sure how many people can produce a good, secure custom security question and canned questions like mothers-maiden-name or favourite things are too easy to guess from facebook and the like. People may also be as likely to forget the answer to a security question as forget a password.
The best approach is to use a user-provided user experience that can prevent forgotten passwords in the first place; a password hint:
This provides an error-preventing, user-friendly approach to reduce the need for the password reseting loop. There is of course just one huge flaw; it passes the responsibility for security to the user, who is free to write completely un-secure hints like “Your wife’s name followed by her birthday” or even the password itself (surely that might happen, if I know users?). I use a cryptic hint that works well for me and would be happy to use that universally; but widespread use seems unlikely.
The problem of the password (reset) barrier is of course repetitive: I perform some task on one site and then I move to another site to perform some other task. The holy grail of user authentication is of course to validate once and use that across multiple sites:
This is a big effort and previous attempts (the earliest mover was probably Microsoft Passport) have not worked. Google Accounts can now sign you in to the Google world in one step. The most promising is the OpenID initiative which has lead to advances such as signing in to Flickr using your Google account. So far it seems it’s OpenID is still just a single authentication which can be re-used – a big help but not yet a single sign-on – but it’s a promising start and I encourage us all to support the effort in the hope of newer, faster technology gradually developing.
Keep the context
There is one more special case that needs extra attention: sometimes it is best not to ask for user authentication until they have already got some way into the task; maybe they have entered some text in a field, filled out a form, written a comment etc… in this case the site is usually pretty good at keeping the context after a successful login; but sometimes sites drop the ball if the user enters the password reset loop (because it has been considered as an isolated function), and the context can be lost. If you can keep some of the task-specific screen elements around the reset workflow, that’s ideal.
So let’s summarise the vital take-home points:
- Assume people are imperfect and have loads of logins and will probably forget yours once in a while (or every time)
- Make your password reset loop as short as possible; consider it as an important part of your customer experience
- Use user-provided personalisation if you can (and if it’s got a reasonable chance of being secure)
- Retain the context of what the user is doing all he way through the reset experience
The problem of the password reset experience is likely to be a problem for some time; good experiences will be un-secure and secure experiences will be un-satisfying until a universal validation technology is available. Until then people will continue with unsafe practices across multiple sites while websites continue with secure, but insular, processes.