UX of Passwords

I’m Claire from Blink.

Venmo

1.  Current password UX 2.  How it can be improved 3.  The future of passwords

What if your identity was stolen?

Let me tell you about

Steve.

1. Freeze bank accounts 2. Open new accounts 3. Set fraud alert on SS# 4. Repayment pending an investigation 5. Reset auto-withdrawal accounts

What have we heard makes passwords secure?

8+ characters 1+ numbers 1+ symbols

Camp 1   Camp 2  

A really, really long string

Why two camps? My Hypothesis:  

Camp 1   Camp 2  

Humans are not good at being random.

1        123456  (Unchanged  from  2013)    2        password  (Unchanged)    3        12345  (Up  17)    4        12345678  (Down  1)    5        qwerty  (Down  1)    6        1234567890  (Unchanged)    7        1234  (Up  9)    8        baseball  (New)    9        dragon  (New)    10      football  (New)    11      1234567  (Down  4)    12      monkey  (Up  5)    13  letmein  (Up  1)    

14        abc123  (Down  9)    15        111111  (Down  8)    16        mustang  (New)    17        access  (New)    18        shadow  (Unchanged)    19        master  (New)    20        michael  (New)    21        superman  (New)    22        696969  (New)    23        123123  (Down  12)    24        batman  (New)    25        trustno1  (Down  1)  

Most Common Passwords:  

hGp://www.splashdata.com/    

Do people feel secure online?

300 People   4 Questions  Across the U.S.  

I asked…

Knowledge of Hacks

Password Habits

Reasons for Changing Passwords

So what?

Passwords are broken!

We are responsible for a better password UX.

Ideas for improving current password UX.

Poor  Security  &  Good  UX  

Good  Security  &  Poor  UX  

1. Make security a priority.

2. Make “Change Password” prominent.

Changing iCloud Password

1Password Dashlane

3. Remind users to change their password every 6 months.

4. Provide 2-step verification.

“GeQng  into  Amazon  let  my  hackers  get  into  my  Apple  ID  account,  which  helped  them  get  into  Gmail,  which  gave  them  access  to  TwiGer.  Had  I  used  two-­‐factor  authenZcaZon  for  my  Google  account  ,  it’s  possible  that  none  of  this  would  have  happened.”    

-­‐  MaG  Honan,  WIRED  

“he  very  four  digits  that  Amazon  considers  unimportant  enough  to  display  in  the  clear  on  the  web  are  precisely  the  same  ones  that  Apple  considers  secure  enough  to  perform  idenZty  verificaZon.”    

-­‐  MaG  Honan,  WIRED  

Digits

Google Security Key

5. Incentivize good security habits.

6. Advise users to create long strings, not random strings.

hGp://xkcd.com/936/    

hGp://xkcd.com/936/    

7. Show requirements all the time.

8. Show password characters.

“If people attempt to recover a password while checking out on a e-commerce site, 75% won’t complete their purchase.”  

–  Jared  Spool  

“Masking passwords doesn't even increase security, but it does cost you business due to login failures.”

–  Nielsen  Norman  Group  

hGp://uxmovement.com/forms/why-­‐password-­‐masking-­‐can-­‐hurt-­‐your-­‐sign-­‐up-­‐form/    

hGp://www.lukew.com/ff/entry.asp?1941    

9. Timeout after five failed login attempts.

10. Ask security questions when a user calls customer service and when a user logs in from a new device or network.

What does the future of passwords look like?

Nobody is hack-proof.

Don’t let this happen

to your users.

Where do you see authentication

heading?

Thank you! @TheNextUX