The sign up page is often the only education users get about passwords.
Ask any user what they think makes for a strong password and find the response sounds like they’re reading off password requirements.
Password requirements on sign up pages have spent years teaching users to make “strong” passwords when they should have been teaching about disposable passwords.
What Is A Disposable Password?
A disposable password is a password you use once per service.
This means giving every account it’s own unique password.
- Twitter – VxWv+M<BCPF2
- Facebook – 8mMBLF2VobdE
- Gmail – moon200fructose-data
None of the passwords above are the same and will never be used again; thus, they’re disposable.
Passwords need to be treated like condoms. They’re for your protection and should only be used once per service.
Why Do We Have Password Requirements?
Password requirements keep users from making weak passwords.
A weak password is often a single word or short password that is easy to guess. Password requirements also keep people from using predictable passwords like 12345 or qwerty.
While password requirements help users make strong passwords, it completely misses the most important part of making a password – it being disposable.
Disposable vs. Strong
Telling a user to make a strong password doesn’t relay what really matters; the password should never be reused, aka disposable.
Complex password requirements give users a false sense of security. The more complex the requirements, the stronger they assume the password. If the password is strong, then why not reuse it? After all, it’s strong, and you don’t want to remember too many passwords? Or their stronger password is just a revision of the one password they use for everything else.
What is not realized is that a password is no longer strong if it’s reused or similar to your other passwords. It takes only one website to leak that password for it then to be used to steal the other accounts that used the same or similar password.
The negatives of password reuse is not conveyed on sign up pages, and only complexity is understood subconsciously due to password requirements.
To be the most effective and stop bad password habits, we need to subconsciously get the user to use disposable passwords just like password requirements gets them to use strong passwords.
How To Get Users To Use Disposable Passwords?
Generating the password for users is how you get them to treat passwords as being disposable.
Before you freak out, read why websites should generate passwords for users here.
Instead of password requirements, which require too much thought and stress, you inform the user what to do.
“Please write down this password, store it in your browser, or keep it in a password manager.”
Password requirements are the equivalent of asking someone to solve a math problem on the spot (548 * 34), where generating the password for the user is giving them the answer (548 * 34 = 18,632).
Most people don’t know about password managers or the obvious answer of writing the password down as it has never crossed their minds. What is obvious to some may not be so obvious to others. These things are not obvious because no one, like sign up pages, is talking about them.
Even if you don’t tell the user how to store the password, the very act of generating the password gets them asking the question of where or how to store a password for safekeeping. And if the user doesn’t care, they can use the password reset feature, and thus you have magic links.
Passwords Need To Be Stored, Not Remembered
The average user has 100 passwords, that is 100 different passwords following 100 different password requirements. It’s no wonder people hate passwords.
The problem is not the password but in how we teach users to store passwords. It’s okay to write down your password. It’s okay to keep your passwords in a password manager.
Generating the password for users will get them in the mindset that passwords need to be stored, just like how phone numbers and credit card numbers are stored.
When Do Password Requirements Become Too Complicated?
As password requirements get more complicated, at what point will it be easier to generate the user’s password for them?
A decade ago, an 8 character minimum password was normal, but now we see 10, 12, or even 15 character minimum passwords.
Combine that with websites making requirements that look like this…
You can’t help but wonder if instead, it would be easier to generate the password for the user?
As far as I can see, it’s not a matter of “IF” we’ll generate passwords for users, but a matter of “WHEN” as password requirements get crazier every year.