Password Strength Requirements
How I improved Vivy's conversion rate, while balancing security and usability
Mobile
2019
Challenge
Support user set a secure password while increasing signup conversion rate
Role
Research, UI/UX Design, Copywriting, and Usability Testing
April — June 2019
Platforms
iOS and Android
Status Quo
At the beginning of 2019, Vivy implemented a higher security standard for password creation. In the following months, we received an alarming amount of email feedbacks and app stores negative reviews, about how hard it is to create a password for the account creation.
I downloaded this app because I like the idea. But if I have to enter thousands of passwords and Vivy does not take one of them, I cannot use this app.
Process
I started with conducting usability tests on the existing app. The goal of this was to create a benchmark for the upcoming iterations.
Documentation for measuring performance in Confluence, where the results are distilled and finalized.
After defining the test script, different behaviours to be observed, and the test group, I performed this usability test 4 times with 4 different iterations of the feature on the same test group.
Detailed documentation of the tests in Airtable.
From desk research and the first usability tests, I concluded the following insights:
Confirmed Assumptions
People usually have a few passwords that they use again and again. These passwords are sorted into three categories:
simple passwords used for unimportant things
mid-level secure passwords used most of the times
high-level secure passwords used for important things like banks, insurance, some cases for social media.
Pain Points
Users don't understand why the password was rejected.
Users cannot come up with a password that meets the requirement.
Users cannot remember their set password.
Users don't understand the in-logical statuses.
Users don’t like being blocked.
Jobs to be Done
Users need a way to come up with a secure enough password
Users need a way to remember their secure password
Iterations
First Iteration
I focused on solving users' pain points regarding understandability of the feature and avoided going with easy solution of lowering the required password's entropy, in order to not compromise Vivy's high security standard.
Changes
Implemented error messages from nbvcxz library
Changed design of password strength indicator
Changed design of password requirements
Technical Requirements
Must have at least 8 characters
Must have at least 1 special character
Required password's entropy: 35+
Pain Points
User is confused by error message: "This is a very common password."
User is confused by error message: "Password should not contain dates"
User would like to not have to add a special character
Second Iteration
After the first iteration, I learned that some default error messages from the library were not easy to understand. But more importantly, almost halt our test users, who are from 20-40 years old, simply could not come up with a password with a security level that meets Vivy's standard.
Changes
Tweaked 3 error messages that caused users confusion.
"This is a very common password."
"Dates are often easy to guess."
"Recent years are easy to guess."Lower password's entropy requirement to 29
Technical Requirements
Must have at least 8 characters
Must have at least 1 special character
Required password's entropy: 29+
Pain Points
User would like to not have to add a special character
Results
from User Tests
I performed 4 batches of usability tests. Each time with 10 user. This test was the baseline for us to know wether the improvements made actually make a difference, before we release.
Previously
Now
Users who came up with a valid password
7/10 user
10↑/10 user
Users who came up with a valid password within the 1st or 2nd attempt
6/10 user
7↑/10 user
Users who remembered the set password
6/10 user
10↑/10 user
Average number of attempts per user
3 per user
2↓ per user
Highest number of attempts made in a test
7 attempts
3↓ attempts
KPIs
These are the results 3 months after release.
March 2019
June 2019
Number of negative feedbacks related to password requirements
9
0↓
Task completion rate
90%
97%↑