Password recovery

The Design Need:

Users register on a website and create a login and password. It is likely that users will forget the password and/or login at some point. You should cater for password recovery so that they can log in again.

Best Practice Solution:

The best solution for password security is a password that is not too complex to remember. A high-security password that is written on a post-it sticking to a monitor is less secure than an easy-to-remember password. But even easy-to-remember passwords are often forgotten.

The best way of offering password recovery is by sending an e-mail containing the password. For websites with a high security level it is best to send an e-mail with a temporary password.

Dos and don’ts
First of all: do not go overboard on security. Not all websites need a high-security password, so choose the level that suits the application. A home bank application needs a much higher security level than a login for an online forum. Start by looking at the risks involved and the chance that others will go to the trouble of cracking a password, before deciding on the security level that is needed. Read more about how to merge usability and security in the best practice for usable security.

After you have established the security level, some dos and don’ts when designing password recovery systems are as follows:

• When asking users to select a password, allow them to choose their own
• If possible do not make passwords case-sensitive unless it is necessary for your security level
• Let users know if they make errors in their login, password or both. This will help them to remember which combination they used.
• Allow users to identify themselves with information other than a username or e-mail address. You could also ask for their phone number, client number, etc. depending of course on the situation. This will help to identify whether they have an account
• If possible, provide a way for users to recover their password if they do not have access to their email address. Users might have changed their e-mail address over time or might not be able to reach their work-e-mail when they are at home. If users are able to identify themselves via their username or other items (see previous point) allow the user to reset the password online or ask where to send the login and password for recovery
• Provide a “register” link when users have entered the wrong login information. The user might not have an account after all and might want to register
• Try to avoid using “challenge questions” (security questions). If you have to use them:
  • Let users choose from a set of common questions
  • Let users enter their own answers
  • Do not make answers case-sensitive; this makes two things to remember.

When to use:

When users have created or might have created an account and have forgotten their password.

Why To use this Best Practice:

A typical internet user has multiple logins and passwords and has created many accounts over the years. They easily forget which login and password set they used when and where. They also often do not know whether they have already created an account. Helping your visitors to recover their login and/or password helps to keep them on your site.

More info elsewhere:

• 8 More Design Mistakes with Account Sign-in on www.uie.com
• Cracking password usability on www.humanfactors.com
• E-commerce User Experience report by Nielsen Norman Group (book)

• Categorized as Best Practices