1. UX of Passwords

2. I’m Claire
from Blink.

3. Venmo

4. 1. Current password UX
2. How it can be improved
3. The future of passwords

10. What if your identity
was stolen?

11. Let me tell
you about
Steve.

12. 1. Freeze bank accounts
2. Open new accounts
3. Set fraud alert on SS#
4. Repayment pending an investigation
5. Reset auto-withdrawal accounts

13. What have we heard
makes passwords secure?

14. 8+ characters
1+ numbers
1+ symbols
Camp 1
Camp 2
A really, really
long string

15. Why two camps?
My Hypothesis:
Camp 1
Camp 2

16. Humans are not good
at being random.

17. 1
123456
(Unchanged
from
2013)
2
password
(Unchanged)
3
12345
(Up
17)
4
12345678
(Down
1)
5
qwerty
(Down
1)
6
1234567890
(Unchanged)
7
1234
(Up
9)
8
baseball
(New)
9
dragon
(New)
10
football
(New)
11
1234567
(Down
4)
12
monkey
(Up
5)
13 letmein
(Up
1)
14
abc123
(Down
9)
15
111111
(Down
8)
16
mustang
(New)
17
access
(New)
18
shadow
(Unchanged)
19
master
(New)
20
michael
(New)
21
superman
(New)
22
696969
(New)
23
123123
(Down
12)
24
batman
(New)
25
trustno1
(Down
1)
Most Common Passwords:
hGp://www.splashdata.com/

18. Do people feel secure
online?

19. 300 People
4 Questions
Across the U.S.
I asked…

20. Knowledge of Hacks

21. Password Habits

22. Reasons for Changing Passwords

23. So what?

24. Passwords are
broken!

25. We are responsible for
a better password UX.

26. Ideas for improving
current password UX.

27. Poor
Security
&
Good
UX
Good
Security
&
Poor
UX

28. 1. Make
security a
priority.

30. 2. Make
“Change
Password”
prominent.

31. Changing iCloud Password

32. 1Password
Dashlane

33. 3. Remind
users to
change their
password
every 6
months.

34. 4. Provide
2-step
verification.

35. “GeQng
into
Amazon
let
my
hackers
get
into
my
Apple
ID
account,
which
helped
them
get
into
Gmail,
which
gave
them
access
to
TwiGer.
Had
I
used
two-­‐factor
authenZcaZon
for
my
Google
account
,
it’s
possible
that
none
of
this
would
have
happened.”
-­‐
MaG
Honan,
WIRED

36. “he
very
four
digits
that
Amazon
considers
unimportant
enough
to
display
in
the
clear
on
the
web
are
precisely
the
same
ones
that
Apple
considers
secure
enough
to
perform
idenZty
verificaZon.”
-­‐
MaG
Honan,
WIRED

37. Digits

38. Google
Security Key

39. 5. Incentivize good
security habits.

40. 6. Advise users to
create long strings,
not random strings.

41. hGp://xkcd.com/936/

42. hGp://xkcd.com/936/

44. 7. Show requirements
all the time.

47. 8. Show password
characters.

48. “If people attempt to
recover a password
while checking out on a
e-commerce site, 75%
won’t complete their
purchase.”
–
Jared
Spool

49. “Masking passwords
doesn't even increase
security, but it does cost
you business due to
login failures.”
–
Nielsen
Norman
Group

50. hGp://uxmovement.com/forms/why-­‐password-­‐masking-­‐can-­‐hurt-­‐your-­‐sign-­‐up-­‐form/

51. hGp://www.lukew.com/ff/entry.asp?1941

52. 9. Timeout after five failed
login attempts.

53. 10. Ask security questions
when a user calls customer
service and when a user logs
in from a new device or
network.

55. What does the future of
passwords look like?

63. Nobody is
hack-proof.

64. Don’t let
this happen
to your
users.

65. Where do you see
authentication
heading?

66. Thank you!
@TheNextUX