Encouraging customers to create strong passwords

ASOS cares about the security of customer data and customer accounts. ASOS is also victim to DDoS (Denial of Service) attacks through mass attempts at automatically logging into customer accounts. There was a duty of care to increase password strength in order to reduce the likelihood that a customer's account can be breached and that DDoS attacks can be successful. It was my task to understand more about user habits when it came to securing their account, and test different approaches to encourage the adoption of stronger passwords.

To start the ideation process, I formulated a range of concepts with messaging and strength bar components to encourage customers to create stronger passwords. With three ideas prototyped, 6 random participants were asked to take part in a series of tasks devised to test each prototype. The key feedback points included making sure the messaging adhered to the ASOS youthful tone of voice. Moreover, the external password tips contained too much information which would deter customers from signing up. The actual UI of the strength bar caused confusion, with some users stating that the 4 segmented bars looked like the underlines for the iOS lock screen to enter a passcode. You can view the initial three concepts below.

The development team steered me towards utilising the open-source HIBP repository of breached passwords. The list of breached passwords could be integrated into our system and used to verify whether a password had previously appeared in a data breach after which a system would warn the user or even block the password outright. I experimented with this by stating the number of recorded breaches within the messaging. This method was deemed too strong and there was a considerable risk of scaring the user by stating that their password had been compromised in a previous data breach. The alternative was to implement HIBP in the background. Blocking users who entered a previously breached password whilst simultaneously encouraging them to make it more unique through motivational messaging.

From research and testing, the consistent feedback point was to make sure that the messaging, combined with the strength bar indicator, was encouraging but not forceful. The copywriting team were brought in to create this succinct messaging in the twenty-something tone of voice. I felt it was important to start each copy variation with 'Your password', so that reading the messaging would be easier. In addition, the strength bar and messaging would only change after a few seconds of not typing or disengaging from the input field. This would ensure that the live updating of text wouldn't appear sudden and off-putting.

It was integral to check accessibility requirements were met, especially for web. As the user types a password, the strength bar and messaging would update instantaneously. This becomes hazardous when dealing with VoiceOver compatibility, as on every keystroke that the user makes, the VoiceOver message would update and read aloud, providing an inaccessible experience. The solution was to incorporate the 'aria-live' attribute with the value 'polite'. This value de-emphasises the importance of the message so that it does not interrupt the screen readers current task. Instead, the new message is only read aloud once the user stops typing.

Unfortunately this project was taken off the prioritisation list. In the meantime, a social media campaign, named 'Password Refresh', was launched to emphasise the importance of a strong and secure password. The campaign consisted of 7 Instagram stories with tips and best practises for existing customers to update their password. Another immediate change was to increase the minimum character length from 8 to 10, singling out ASOS as the only online fashion retailer with a double-digit password minimum requirement! One major learning experience from the project was that trying to change a users behaviour was incredibly hard. Even when providing a user with password tips and best practises, users often revert back to their old ways.