Stop asking users to enter good passwords

You know the requirements. You know what makes a good password. Stop asking users to dance for you.

3 min readMar 29, 2019

--

How often have you seen a registration form with a dozen different password requirements? Something like this?

Or maybe your product experience team thought that was too ugly so they opted to not even show the user what the requirements are.

Really, Stripe?

Let’s get this straight, as a developer or product owner you know the following:

  1. Your unique requirements for passwords on your service.
  2. That users should pick a unique password for your service.
  3. That passwords should be reasonably complex to hinder cracking.

Why let the user pick the passwords at all? You’re forcing them to jump through hurdles to find something “good enough” — are you expecting them to pick a password that resonates with them? That makes them smile in a way that only that password can? No, they’re trying to use your site, password choice is a barrier.

Generate passwords for your users.

Consider this (example) flow where Stripe generates a password for you.

This will help your users be better protected by default and it’s one less field to fill out which may positively impact the bounce rate on a registration flow.

Product and UX teams may need to rethink some user experience details and it may not be perfect but we’re talking about replacing an awful user experience that leads to poor security practices with a more flexible and potentially better user experience with better security implications.

Every major browser now has a capable password manager that also synchronizes across browsers and devices. We should ensure that password managers are managing good passwords, not awful ones.

Why shouldn’t the user enter their own password?

A password should be a random string of characters. It shouldn’t be something that has meaning to any individual. Even with the password generators we already have, in browser and out, they still run afoul with arbitrary (and often poor) password requirements. Why not take that generation into your own hands and produce a better user experience?

We all know that weak passwords lead to cracked passwords (if you don’t, see: password security & password hashing algorithms). We all know that reused passwords, even if they are magnificent, leave users open to credential stuffing attacks (if you don’t, see: What is credential stuffing?). At Shape Security we see the resulting damage of bad password practices every single second of every single day. In the first 6 weeks of 2019 we saw over 2.3 billion (with a B) credentials leaked on the open web. In those same 6 weeks we recorded our biggest attack yet with 3 billion account takeover attempts in 7 days (and by the way, we just launched a self-service defense for smaller businesses, Shape Connect, if these sorts of attacks are sounding familiar to you).

We aren’t going to get rid of passwords completely in the near future but we can do a much better job at dealing with them.

--

--

Jarrod Overson

I write about JavaScript, Rust, WebAssembly, Security. Also a speaker, O'Reilly Author, creator of Plato, CTO @Candle