Creating passwords can be a stressful experience. Go too famliar (CHILDNAME) and you lose effectiveness, go too obscure (admiralalonzoghostpenis420YOLO) and you're likely to forget it.

As Edward Snowden recently told John Oliver, "For someone who has a common eight-character password, it can literally take less than a second for the computer to go through the possibilities and pull that password out."

Snowden reccomends concocting memorable non sequitir phrases like: "margaretthatcheris100%sexy." Whatever your strategy, you want to make sure the password you enter—one generally obscured by black dots—is exactly what you intend it to be. This leads us to a frustrating bit of wtfUX sent our way by Indrani Stangl

"When I create a new account on a website, I rely on entering the password twice. This is a nice feature in case you are like me, a total spaz. I rarely type it correctly both times and need that safety net to make sure I can log in."

password wtfUX

"Now the trend seems to be 'enter a password,' and once you do, you are logged in. Bad typists, beware. I am all for shortcuts, but this is a dumb one."

Keep these coming. Send them to us via Twitter or Facebook using the hastag #wtfUX or email them to: wtfux@uxmag.com with "#wtfUX" in the subject line. Include as much context as you can, so we get a full understanding of what the f%*k went wrong.

Article No. 1 423 | April 9, 2015
Article No. 1 440 | May 20, 2015
Article No. 1 455 | June 23, 2015

Add new comment

Comments

I am all for shortcuts, but this is a dumb one.

Couldn't disagree more.

I've seen the onboarding uplift first hand in both SaaS and ecommerce products, where we've A/B tested single entry password fields against douple password inputs. Single entry wins out every time. Hallway testing has shown users presented with a single password field take more care on entry, and on the rare occasions where the user did not enter the password they intended to, we have customised the forgotten password experience for first time login attempts to catch this error. Rather than password, we focus on making sure we get the email entered correctly ... interestingly though, we have found autocomplete suggestions in the email field result in more errors on average.

"Phrase" passwords, even "Random Word" passwords, are known to be insecure. Using "leet" is also insecure. Random insertion of a character ALSO insecure. Dictionary attacks are painfully strong and at a time when you really need to be using 14 character random alpha-numeric-symbol passwords due to how quickly passwords can be cracked from hashes, using 28 character "phrase" passwords with simple forms

(margaret)(thatcher)(is)(100%)(sexy)

"thatcher" is often next to margart (famous person). "is" is a common word that follows a noun. "100%" being a common adverb and sexy being something often associated with women.

Random Word passwords rely on security through obscurity which is always a horrible idea. While there are some several hundred thousand words in the english language or what not; you can reduce that down to, say, the top 4096 most used words and the top 4096 least used words. You would be ~8 character password for 4 words and ~11 character password for 5 words. With phrases like you used, this goes rapidly down. This is for xkcd's "Correct Horse Battery Staple". It's really a 8 character password in terms of password strength. AKA Dead weak.

Josh,

If you write an article about UX and  show examples from others, please before you post it recheck that your source is completely right.

Because the example you gave from Wix website is totally wrong, check the link to understand what I mean: http://prntscr.com/8eql8i

"Apparently, now the trend seems to be 'to post articles,' and once you do, you are a writer. Bad article, beware. I am all for UX articles, but this is a dumb one".

Thanks

A button to show the password as in letters and not dots would solve this for absolut spazs too.

WTF UX Magazine.

Here I find a really poor article, with the only justification a person talking about her hown experience. It doesn't seem look like UX for me.

The single password field is the new trend because it increases tremendously the conversion rate and reduces one user's pain subscribing to a new service - especially at our mobile age. As previously said in the comments, some design patterns can reduce the error rate, leting the user choose to show/hide his password.

Bad Typists are and will always be, so are the good typist that are significantly more numerous and embrace the simplest flow to subscribe.

Here is a proper article demonstrating the benefits AND one of the possible solutions to design a single password field form : http://www.formisimo.com/blog/case-study-small-changes-lead-to-a-55-increase-in-conversions/

@6rlschmitt

I would actually agreee with Jasonk

Why bother with passowrds anyway if you could use one-time email login + "remeber me" for indefinite time.

 

Don't agree with this one.

Why should we make the life of the 99% more difficult because the 1% might spell it wrong?

The 1% can use the "reset password" feature and they will be 1 email away from fixing it. The other 99% can keep living theit lives with ease.

PS: The percentages were used to illustrate the idea. I have no idea of how many people would mistype.

The best option is to enable a show/hide password toggle. See http://uxmovement.com/forms/why-the-confirm-password-field-must-die

If you have an automated password reset...there is 0 reason to make them enter it 2x. They'll just use the password reset if they can't remember what they actually typed

Typing long passwords multiple times on mobile devices is really difficult

If the goal is to rely on email reset, they could eliminate the password altogether and use the reset email for every single login.

Eliminating the password field & using e-mail reset on every login is actually a really simple yet strong 2-factor authentication method. Unfortunately, not everyone likes this procedure. A lot of users prefer the ease of a password over switching between apps to get the code from their e-mail. Although generating new passwords on every login is way more secure...