A better password input field
Complexity requirements are useless
First of all, let’s have a look at some statistics:
- 77% of passwords containing a single digit append it to the end of their password. 10% of the time, it will be a “1”.
- 35% of passwords requiring a capital letter will capitalize the first letter.
- 89% of 7-character long alpha strings can be targeted by either capitalizing the first character or capitalizing the whole string.
- 61% of passwords are the exact length of the minimum length set in the password policy.
- Common substitutions (a = @, i = !, s = $) are baked into password cracking rule-sets.
Creating a strong password
- Think “passphrase” intead of “password”. Five random words separated by special characters is hard for computers but still easy to remember.
- Avoid “password walking”, password with adjacent keyboard characters (e.g. “qwerty”, “asdfghjkl”, “zxcvbnm1234”)
- At the very least, your e-mail password should be extremely strong and unique.
- Ideally, you should be using a different password for every website. Find creative ways to include the name of the website.
- Best of all, use a password manager. We are big fans of Bitwarden.
- SMS-based two-factor authentication (2FA) is better than nothing but is vastly inferior to other forms of 2FA and MFA.
- Use a hardware key. Solokeys are amazing. You plug it to your computer and your browser will ask you to press the button to log in.
How can we create a good user experience and enforce strong passwords?
- Don’t Enforce complexity. As we saw earlier, complexity requirements don’t increase password strengh. They only reduce the user experience.
- Don’t make passwords expire. Password expiration has a negative impact on usability. Users change their passwords in predictable patterns (password1 -> password2 -> password3). Only require a password change if it has been compromised.
- Don’t block copy/paste. Some products prevent users from pasting passwords. They want to force their users to type their password regularly so they don’t forget it. But it comes at a significant cost. They can’t use their password manager, the most secure option by far.
Odds are that you will annoy your users more than you will help them.
- Do respect semantics and standard practices. Name your field “password”, not “user_password” or “app_pwd”.
- Do check user passwords against a list of common or compromised passwords.
- Do enforce 2FA on sign up.
- Do provide the “Remember me” option.
- Do reduce sessions’ lifespan. But renew it with each session. Users will be logged out if they don’t use the app within x days.