I live by the credo: no detail is too small… to complain about.
Here is something to improve about related to credential security for the many online accounts we all have. It’s not a technical improvement, there’s an easy technical answer.
However, the human behavior aspect is a different angle. And, I believe that the account setup sequence I’m going to show you is a failure of empathy on the part of site developers or security staff.
Account security best practice
It’s well known among security people that for each account you setup online you should create a password that is (1) complex, and (2) unique.
In fact, this is such a simple best practice that browsers, such as Safari suggest complex unique passwords and pre-fill them in when you create an account. They then use the Mac Keychain to remember the account info. When it works, it makes creating and remembering passwords easier… increasing people’s credential security.
Creating a new password
Today I had the opportunity to create a new account for sensitive information.
Here’s what it looked like:
What’s happening and where is the human / empathy fail?
Human behavior beats technology every time
Let me point out what you’re seeing above.
I have the default settings for password suggestions on Safari. In fact, I’m not even sure I could change them.
The default setting has the pattern 6 characters, dash, 6 characters, etc.
However, this site disallows the dash (‘-’) from passwords.
Whoever owns the site would probably say “just pick another character”.
In theory, that’s easy.
In practice it fails. Most users, I bet, would click on “strong password”, tell Safari not to suggest a password, and enter the “regular” password they use everywhere. Most users are simply trying to get through the account creation flow. They choose the simple path, not because they want their account to be compromised, but because it’s simple.
Is that good behavior? No. Would most people know why not? Probably not. You can educate them, but then you’d just have smarter people choosing the easier path. The failure is in making something more difficult than it should be, not in the ‘laziness’ of your users.
Obviously, this site wasn’t tested in Safari. There was a time when it was easy to tell users what browser to use. That time is long gone.
The power of defaults is well known for people designing while prioritizing user experience. Site developers and security officers owe it to themselves and their users to reduce the cognitive load it takes for users to keep their accounts safe. The creators of the site above… it’s their fault. Even if a technically correct answer like “choose a different character” is simple and sounds like it makes sense, it’s the wrong answer because human behavior in the context of the design hasn’t been considered.
Forgive a slight tangent to plug the company some friends of mine founded.
Another way to solve this problem is to use Cymatic’s solution. Cymatic alerts users in the flow of account creation whether the password they choose is compromised. The benefit is that even if users can’t work with the default Safari capabilities, they know in the moment what the best security practice is, and what they should do to maximize their credential safety.
Read this good article about how Cymatic helps users maintain proper security hygiene, the screen grabs in this post are quite nice and I’m sure have evolved in the 9 months since.
Cymatic helps people and companies keep accounts safe and secure, in a way that shows empathy to non-technical users and helps them be more aware of the small things they can do to maximize their online safety.
In my opinion, the best part of Cymatic’s solution is how easy it is to implement. Not many things in life are easy and good. You really should have a look.