re: What does it take to create a strong password? VIEW POST


Beautiful user interface. Horrible user experience. I can already hear my wife screaming at the screen!

The strong password rules being used come from a document written back in 2003 by Bill Burr, who wasn't even a security expert. Over time, those rules have come to be the cause of some really bad password practices.

As a designer, you want to improve the user experience while still getting strong passwords.

If you must use passwords, maybe try displaying a random passphrase of nonsensical words to the user as a password suggestion rather than forcing their password to comply with all the character rules.

Here's an example I just got from a random word generator.

we lump expect inch provide

(I swear these are random words! Sorry it sounds naughty, but the plus side is it actually makes it easier to remember)

The arguments for this being a suitable alternative for passwords that contain special characters / hieroglyphs / gang signs break down after about 4 words. (search "random words versus random characters for passwords" for more insight on this)

Of course, enforcing the 4+ word requirement would also introduce friction, but could make for a better user experience than the character level rules. Split testing would give you some idea.

One last thing to consider. Do your accounts actually have a need for super strong passwords? What bad things could happen if a user's account was compromised? If the consequences of a weak password are low, and removing the password check removes friction, I'd ditch strong password requirements immediately - particularly if you're making a sale on the other side of the user registration.

I personally prefer another approach - the magic link - because it removes the need for a user to come up a suitably strong password all together. However, it does introduce the friction of having to go to your email client to login.

Code of Conduct Report abuse