Secure passwords and user experience – a tricky relationship?

How to make the login process easier for users

Hacker attacks and data leaks as well as the GDPR implementation have raised the awareness for data security issues in society. Nevertheless, only very few internet users use really secure passwords. We therefore collected some tips on how you as a company can support your customers better with dealing with personal passwords.

Status Quo: “For 90% of my accounts I use the same password.”

In a qualitative study by Facit Digital on password security, the test persons stated that they had an average of 20-30 user accounts with password access. Often the same password is used for several accounts. In addition, most people note their passwords on notes, unprotected documents on their PC or in their smartphone notes. Password managers can help to remember passwords, but so far only a minority (10%) of German Internet users use them ( via Statista).

It becomes particularly problematic for companies if forgetting passwords leads to customers not using their created accounts or canceling a purchase process after they have had to reset their password again.

Password UX in a few steps

There are a few things that companies can consider in order to improve the usability of login processes and avoid bounce rates.

1) Reduce and highlight password requirements

If the requirements a website imposes on a password (e.g. upper and lower case, use of symbols etc.) are displayed from the beginning, error entries can be reduced. There is nothing more annoying than having to try around several times until the password is accepted.

Airbnb clearly highlights the password requirements and displays green if they are met.

2) Enable “Show password”

The possibility of displaying the password also avoids errors and supports remembering the passwords. The experts of the Nielsen Norman Group recommend different default settings for desktop and mobile devices: On desktop you should first automatically hide passwords (i.e. instead of the actual password the known dots appear in the input field). A “Show” button next to the input field allows users to display their entries. On mobile devices, it would be better to do things the other way around: Automatically display the password and use the button to give users the option of switching to “Hide”.

The registration process at on desktop:
The password is hidden by default. Users can display their password by clicking on “Show”.

3) Show password strength

A password strength indicator gives users real-time feedback on their chosen passwords and motivates them to create stronger passwords. Our study on password security has shown, however, that users want transparency at this point: The display should therefore show on which parameters the strength or weakness of the selected password is based (-> combination with point 1).

Passwort-Stärke-Anzeige bei
A traffic light system with 3 colors informs users at about the strength of their typed password. The display of security tips provides information about the parameters on which the strength of a password at is based.

4) Give up password confirmation

Input fields in which the newly selected password is to be entered repeatedly are increasingly not recommended. Typing in passwords is cumbersome. If a password has to be entered twice, it is doubly annoying. If the password can be displayed (see point 2), users can check errors directly, which eliminates the need for duplicate entries.

5) Enable passphrases

Until now, the requirements for secure passwords were almost undisputedly based on the specifications of the US authority NIST (National Institute of Standards and Technology) from 2003: passwords as complex as possible, with upper and lower case, special characters, which are also regularly updated.

It is true that a particularly cryptic word, such as “570b%8lhZ”, is harder to hack than normal words. Nevertheless, it has turned out that many of these supposed security measures lead to people not being able to remember passwords and note them down on slips of paper. If passwords are changed frequently, users tend to create simpler passwords that they can remember better. Therefore, experts increasingly recommend so-called passphrases. These are longer sentences consisting of at least three proper words. These are easier to remember. Also, long passwords (even if they are simple words) are harder to hack than short complex character combinations. According to Swedish digitization expert Thomas Baekdal, for example, it is 10 times safer to use “this is fun” as a password than “J4fS<2”. Such passphrases become even more secure when fantasy words are used (e.g. “fluffy is puffy”). In this way, password requirements (see point 1) could also be further reduced without minimizing security.

NIST experts have also revised their original recommendations and published new guidelines in 2018. To support passphrases, the US authority now advises to allow up to 64 characters in a password entry field. In addition, users should no longer be arbitrarily forced to update their passwords on a regular basis. Unless there is a password violation.

6) Reconsider password-protected areas

The fact that in many situations it is not absolutely necessary to “force” the user to register is often neglected. Wherever possible, registration should always be optional. Guest checkout with optional registration on e-commerce sites simplifies the purchase process, for example. Even tailor-made offers are possible without a login process: Amazon uses cookies, for example, to show users personalized content even when they are not logged in.

Alternatives to the classic password login

In addition to text-based passwords, there exist a large number of alternative authentication options these days.

Biometric authentication methods, such as touch or face ID or iris and retina recognition, as well as analysis of the keystroke rhythm, are considered particularly secure because they cannot easily be passed on to other people, be forgotten or stolen. They also make remembering passwords obsolete and replace the annoying typing of pins and passwords.

Particularly secure, but not necessarily more practical, is two-factor authentication, in which a code is sent to a second device in addition to the password when logging in.

More user-friendly is the so-called “Social” or “Third-Party-Authentication“, i.e. authentication via Facebook, Google or other external providers. Here users can quickly and easily register and use their (already practiced) password. When implementing this method, however, it must be considered that there are users who do not have a social media account or do not want to use it for registration.

It is also possible to completely do without a password during registration. With “No Password Authentication“, for example, users can be offered the option of having a link sent to them by e-mail, which automatically logs them in. Security is guaranteed by the fact that the link loses its validity after a certain period of time.

No password authentication bei
Option to register without password at


Password protected areas are unavoidable in many situations. German users in particular attach great importance to data protection and want to feel secure. On the other hand, passwords are annoying and complicate the user flow. The points listed have shown that usability and security are not mutually exclusive. For a successful user experience, companies should make it as easy as possible to create passwords that are both secure and simple. Procedures that replace the use of passwords should also be increasingly considered. In this way, both the users and the companies themselves benefit in the end.

Beitrag teilen
Theresa Amberger
Theresa Amberger
Als studierte Kommunikationswissenschaftlerin stellt Theresa viele Fragen und geht den Dingen gerne auf den Grund, so auch für die Blog-Reihe „Inside FaDi“. Im UX Consulting bei Facit Digital kann sie diese Leidenschaft mit ihrem Interesse an digitalen Trends und technologischen Neuerungen optimal vereinen.