Encouraging customers to create strong passwords

UX, UI, User Research, User Testing, Prototyping
September 2018 - January 2019
The security of customer account data
ASOS cares about the security of customer data and customer accounts. ASOS is also victim to DDoS (Denial of Service) attacks through mass attempts at automatically logging into customer accounts. There was a duty of care to increase password strength in order to reduce the likelihood that a customer's account can be breached and that DDoS attacks can be successful. It was my task to understand more about user habits when it came to securing their account, and test different approaches to encourage the adoption of stronger passwords.
Quick and dirty guerrilla testing
To start the ideation process, I formulated a range of concepts with messaging and strength bar components to encourage customers to create stronger passwords. With three ideas prototyped, 6 random participants were asked to take part in a series of tasks devised to test each prototype. The key feedback points included making sure the messaging adhered to the ASOS youthful tone of voice. Moreover, the external password tips contained too much information which would deter customers from signing up. The actual UI of the strength bar caused confusion, with some users stating that the 4 segmented bars looked like the underlines for the iOS lock screen to enter a passcode. You can view the initial three concepts below.
Password strength weak design concept 1Password strength weak design concept 2Password strength weak design concept 3
User testing password strength concept with segmented 3 bar strength indicator
Unmoderated user testing concept one
Both of the refined concepts contained a segmented 3 bar strength indicator that would use the renowned traffic light system to show how strong a password was. The key difference between the concepts was the messaging. For concept one, a distinct 'Password Tips' box gave users access to easy-to-digest tips. These swipeable tips were cross-referenced with security advice from other large and reputable companies, meaning the very best password advice was available to users.
Unmoderated user testing concept two
Concept two housed the password feedback and suggested improvements in the same concise message. During user testing, concept two was a clear winner, with 11 out of 12 participants selecting it as their preferred option. It seemed that users preferred the contextual tips instead of generic tips that they already knew. The moderate amber bar also seemed to encourage users to 'get it to green' and complete sign-up with a strong password.
User testing password strength concept with contextual password improvement messaging
Have I been pwned integration showing if password had been breached before
Exploring the 'Have I Been Pwned?' (HIBP) integration
The development team steered me towards utilising the open-source HIBP repository of breached passwords. The list of breached passwords could be integrated into our system and used to verify whether a password had previously appeared in a data breach after which a system would warn the user or even block the password outright. I experimented with this by stating the number of recorded breaches within the messaging. This method was deemed too strong and there was a considerable risk of scaring the user by stating that their password had been compromised in a previous data breach. The alternative was to implement HIBP in the background. Blocking users who entered a previously breached password whilst simultaneously encouraging them to make it more unique through motivational messaging.
Have I Been Pwned (HIBP) Website
Succinct live messaging
From research and testing, the consistent feedback point was to make sure that the messaging, combined with the strength bar indicator, was encouraging but not forceful. The copywriting team were brought in to create this succinct messaging in the twenty-something tone of voice. I felt it was important to start each copy variation with 'Your password', so that reading the messaging would be easier. In addition, the strength bar and messaging would only change after a few seconds of not typing or disengaging from the input field. This would ensure that the live updating of text wouldn't appear sudden and off-putting.
Weak, medium and strong password designs for Android devices
Up close view of segmented bar strength indicator for Android device
Password safety screen with tips and guidance for creating a strong password
Creating a strong password on desktop web
Web accessibility considerations
It was integral to check accessibility requirements were met, especially for web. As the user types a password, the strength bar and messaging would update instantaneously. This becomes hazardous when dealing with VoiceOver compatibility, as on every keystroke that the user makes, the VoiceOver message would update and read aloud, providing an inaccessible experience. The solution was to incorporate the 'aria-live' attribute with the value 'polite'. This value de-emphasises the importance of the message so that it does not interrupt the screen readers current task. Instead, the new message is only read aloud once the user stops typing.
Download Voiceover Accessibility PDF Document
Behaviour change is hard
Unfortunately this project was taken off the prioritisation list. In the meantime, a social media campaign, named 'Password Refresh', was launched to emphasise the importance of a strong and secure password. The campaign consisted of 7 Instagram stories with tips and best practises for existing customers to update their password. Another immediate change was to increase the minimum character length from 8 to 10, singling out ASOS as the only online fashion retailer with a double-digit password minimum requirement! One major learning experience from the project was that trying to change a users behaviour was incredibly hard. Even when providing a user with password tips and best practises, users often revert back to their old ways.

Made it this far?
Let's start a conversation.

Thanks for checking out my work 🙌