This article reviews different research works undertaken to construct user-friendly passwords for websites, which in turn result in smooth user transaction. Ryu and Moshfeghian have reviewed 96 websites within 16 categories, and then have narrowed their study to the top six sites within the dating and travel categories, as selected by Google. The findings are useful to users who type a password into a website and to the companies that want to offer smooth user transaction. The study shows that an effective password registration may produce a higher number of successfully registered accounts, which can translate to increased sales, brand status, and recognition. Some websites call upon picture identification for partial authentication along with the password. However, fancier password recognition software applications that would recognize faces or fingerprints or verbal inflection are further down the line.
Like so many of us, Soolmaz Moshfeghian has been frustrated by websites that ask her to reiterate on the spot a password she’d Last used to sign in more than a year ago; or that prompt her to follow password-creation rules she knewwould lead to a password she’d never remember (for example, at least one letter capitalized and one symbol and at least nine characters long).
The password frustration she shares with most of us has led to herwork for user-friendly passwords and her assertion that password design is a human factors, or ergonomic, issue. These fields of study attempt to optimize the interaction between human and a particular machine or system.
“Passwords are so Important Because they Enhance or Impact Human Performance on a Website.”
And she’s come up with a number of ideas, thanks in part to her recent graduate work, including questions posed to users and picture-matching.“Passwords are so important because they enhance or impact human performance on a website,” she said.
Now, as director of user experience at PIC Business Systems Inc., a provider of business software in San Antonio, she confers with software developers at the company about how to make login and password authentication processes easier. She works with developers to understand their issues and problems in helping design better systems, all the time prompting them to keep the user in mind. Thus she offers a comprehensive view of password design, Moshfeghian said.
Perhaps Moshfeghian has an aptitude for password design issues because she didn’t exclusively study information technology.
“I come from a background of marketing and fine arts, and I noticed there was a lack of human empathy for the user in the software development field,” she said. “Password authentication varies across different web sites and the dissonance really bothered me.”
As a recent graduate student at Texas State University-San Antonio, she worked with Young Sam Ryu, assistant engineering professor at the same school. They published the paper, “A Passport to UX-Design of Password Practices,” which appeared in the April 2012 issue of the journal Ergonomics in Design: The Quarterly of Human Factors Applications.
The two looked at online password practices from the user’s point of view. (The “UX” in the paper’s title stands for “user experience.”) Their study promised to produce design strategies and recommendations to smooth users’ password experiences and reduce the number of failed password attempts.
“Because mobile devices like iPads are becoming more ubiquitous and more of our lives are moving online, passwords are used more frequently for different aspects of our lives and it’s important to find ways they work better,” Moshfeghian said.
“Effective Password Registration may Produce a Higher Number of Successfully Registered Accounts which can Translate to Increased Sales Brand Status and Recognition.”
Across the Web
Ryu and Moshfeghian reviewed 96 websites within 16 categories, then narrowed their study to the top six sites within the dating and travel categories, as selected by Google.
The findings are useful to users who type a password into a website and to the companies that want to offer smooth user transactions, she said.
According to the paper, “Effective password registration may produce a higher number of successfully registered accounts, which can translate to increased sales, brand status, and recognition. Fewer failed password registration attempts can lead to reduced system maintenance, security, and password recovery costs.”
But Ryu and Moshfeghian uncovered a marked lack of consistency in how websites use passwords for authentication.
Only a few of the sites they looked at attempted to improve the design of password selection interface and in those cases they did so to increase the level of security and memorability of passwords, not to improve user experience, according to the paper.
While most of the sites gave a link to click on for tips to set strong passwords, fewer than 50 percent of them offered visual guidance on how to set the type of passwords they required.
“Users were forced to begin the password selection process without sufficient knowledge of each site’s password requirements,” the authors wrote in their paper. This resulted in users receiving error messages and being asked to try passwords again and again.
The sites that did offer guidelines often placed them in inconsistent areas or presented them in small fonts. The paper reported that the Monster.com site presented a list of symbols not to use and may have confused users.
Ryu and Moshfeghian closed their paper by pointing out several ways web designers can make password registration and authentication easy on users.
A second part of their project, not yet published, measured the password requirements stated on all 96 sites in terms of minimum character requirements and other factors, and found security loopholes.
“Half of them didn’t even enforce the minimum that they said you should put,” Moshfeghian said. “Sometimes you could put six blank spaces and it would accept that. Banks and financial sites would enforce it, but all the others had we found a lot of potentials for loopholes in the security.”
Passwords And Human Factors
Soolmaz Moshfeghian of PIC Business Systems and Young Sam Ryu of Texas State University studied the password practices at 96 websites and offer these tips for web designers.
Use clear and concise language to communicate password requirements.
Present password guidelines in order of importance.
Make the most important requirements visible rather than mouse-over or clink-on-link options.
Provide users length requirement (minimum and maximum) and character requirement (for example, the minimum letters, numbers, and symbols required).
Make the password input box correlate with the password’s maximum length requirement.
Use consistent terms when talking about passwords.
Consider an interactive feedback feature that gives users feedback as they enter a potential password.
Use internationally known graphics and icons to communicate the feedback.
Authentification by Image Recognition:
“So if I Offered a User a Picture of a Camera, a Beach Ball, and a Pair of Shoes, the Order in which they Pick the Pictures is a Pass Code”
Beyond the Word
How did choosing and registering a password get so complicated?
Web design is a marriage of form and function, a point that can go overlooked by the designers that focus mainly on a site’s graphical look rather than its function.
This can explain why guidelines for password creation can be left off a site or hidden in a small font in an out-of-the-way place, Moshfeghian said.
Web designers aren’t solely responsible for how a site appears; others at a company have a say in its aesthetics and in how it functions, including software engineers and others who strategize about what the site should include. User needs aren’t always taken into account in these conversations because getting their feedback at every step of the development process can be costly, she added.
“And often in the IT world you’re in a crunch and can’t stop to involve the users,” she said.
“It does seem like designers know people are frustrated,” she added. “In the past, designers didn’t involve the user in the password process. Now we’re starting to involve the users and get their feedback.”
Since that paper was published, Mosh-feghian has moved to her job as director of user experience at PIC Systems. There, she’s exploring website authentication alternatives.
For instance, some companies, including Google, are working on technology that recognizes a users’ fingerprint.
But that will be a few years away, so Mosh- feghian is determining whether image recognition is a viable alternative. She’s asked developers at her company to work on this type of code, where the clicking and choosing rather than the typing of a password identifies the user, she said.
“So if I offered a user a picture of a camera, a beach ball, and a pair of shoes, the order in which they pick the pictures is a pass code,” she said. “You may be able to remember it easier, and if there’s enough images to choose from, the combination is similar to passwords in terms of security and safety.”
Some websites call upon picture identification for partial authentication along with the password.
“My bank allows me to choose a picture, so if I access the site from another device I can select it to prove who I am,” she said.
Then we get to Moshfeghian’s (and countless others’) biggest pet peeve, known in the IT world as image recapture but known in the everyday world as “retype the blurred letters and numbers above in this little box.”
That little box is there to prove you’re not a spambot, i.e. a nefarious piece of automated software set up to help send spam.
“I hate that form of authentication. I hate it,” Moshfeghian said. “It’s hard for people to read and to see, but it’s necessary. So we’re trying to give people another way.”
The other way seems odd at first blush; at second blush, genius. IT needs to know there’s a real person rather than a piece of software at the other end of the computer.
“So we’re giving people questions a five-year-old can answer,” she said.
Spambots are puzzled by the questions. For example, users might be asked: With which one of these can you take a picture? They’re offered the choice of a shoe, a camera, or a beach ball and can click on the relevant image.
Beyond the common password frustrations, Moshfeghian is also rankled by what she terms “the lack of any kind of personality in the login or registration process.”
During her research across web sites, she found that only the online dating company OkCupid humanized its registration process. A cartoon robot sits on the screen and talks via a dialog box to users as they fill in their information, Moshfeghian said.
“It’s interactive and it gives you feedback right away. If your password didn’t meet the requirements, it would give you a neat message: “You’re almost there; you just need to make a few quick corrections and you’re on your way, signed Staff Robot,’ or something like that,” she said.
Site users who didn’t find new messages after logging in also got a visit from the robot that said, “You have no new messages, but I still love you.”
So look for kid-level questions or the robot in the near future, but expect them first on small companies’ websites. These types of password-easing changes can be easily implemented at small companies but are expensive and lengthy undertakings for large websites like Amazon or eBay where a great deal of code would need to be rewritten, Moshfeghian said.
Fancier password recognition software applications that would recognize faces or fingerprints or verbal inflection are further down the line, she said.
But when one is fumbling with the fifth ‘unrecognized password statement of the day, one realizes it can’t get here soon enough.