Sunday, February 14, 2016

Usability Issues with Password Rules and Restrictions

By Mike Wakim



Passwords have been the main mean of user authentication for online websites for quite a while now. A very large number of websites allow users to sign up for the service that they are providing, whether it is to access more content, or to simply manage their browsing data and/or personal details. Signing up to a website generally involves selecting a username, a password, and sometimes other personal details such as email, phone number, and others. The signing up process is in most cases a quite simple task, which is fairly consistent in terms of user experience across different websites. However, one area that lacks consistency is the password creation mechanism that plays a major part of this process.

Websites often have password rules and restrictions. These rules generally set a minimum length for the password that needs to be selected, along with other small requirements, such as enforcing the password to contain at least one lower case character, one uppercase character, some digit, and some symbol. Unfortunately, these rules and restrictions are not the same across all websites.

In this blog post, we will initially talk about why websites set rules for password creation. We will then talk about the existing usability issues that have to do with this process. In terms of usability, we will be focusing on the two following questions:

  1. How well are websites specifying the rules and restrictions for the passwords?
  2. How good is the feedback that websites are providing when a user specified password does not meet the stated rules and restrictions?


Some Background


When it comes to user authentication, whether it is on websites, operating systems, mobile devices, or other things, passwords are heavily deployed. Passwords started off as being a simple alphabetical or numerical passphrase that only the owner knew, and started getting more and more complex since then. The accepted requirements for secure passwords have also changed in the past few years. For example, a few years ago, a six character password was considered secure. Now however, it is recommended that a password be at least 8 characters [10]. The main attack that we generally worry about when it comes to password cracking is the brute-force attack, where an attacker tries all possible passwords to try and guess the password chosen by a user. There are many ways to slow down this attack and to reduce its effectiveness, one of which has to do with increasing the minimum length allowed for the password, as well as increasing the size of the input space (i.e. the different characters allowed in our password).

The link [1] in the references below provides a great explanation on how the password length and the input space make a difference to the effectiveness of a brute-force attack. They assume that an attacker is capable of trying 15 million passwords per second, and derive the following results: 

Screenshot from [1]

The results are quite interesting… We can see that the amount of time it would take an attacker to guess our password via a brute force attack is directly linked to the input space, as well as to the password length. The more we increase our input space and password length, the more secure our password becomes. This is the main reason why so many websites provide rules and restrictions for passwords. Essentially, there’s no point of having a password if it would be trivial for an attacker to go ahead and guess what it is.

It is important to note that there is a lot more to password protection than I have just mentioned. For example, it is always important to ensure that passwords are stored properly on servers and not in plaintext (i.e. as is) format. Encryption and hashing [3] can both be used to safely store passwords on servers. Having a TLS certificate (HTTPS) is also very important to ensure that the communication going on between the user (client) and the server is secured.

The main objective of this blog post is to talk about the existing usability issues and inconsistencies involved with the password creation mechanisms on different websites, so we won’t be providing more details about the security of passwords. Google has a very good password help web page [4] that provides “tips for creating a secure password”, “things to avoid”, and “tips for keeping your password secure”. For more information, please consult the links available in the references below.


Usability Issues


The main problem with usability when it comes to password creation is the lack of consistency of how the rules and restrictions are stated across different sites. In this section, we will be providing examples of the specification of the rules on four different websites: Gmail, Facebook, Cineplex, and Github. 

Note that the screenshots below were all taken from the respective websites that we are talking about. The websites were loaded on Firefox version 44.0.2 on Mac OS X El Capitain.

1. Gmail


When you choose the “Create Account” option on, this is what you see:  

Screenshot from [6]

Notice that we do not see any rules and restrictions at all as of now. However, once we start filling in the information, and we get to the password section, a new UI component appears on the screen, informing us about the rules that we must comply with for the password that we want to create. I drew a red rectangle around the new UI component, which is depicted in the following image:

Screenshot from [6]

Here we can see that the password must use at least 8 characters, and it should be something that we have not already used on another site. I really like the “Why?” hyper link provided here, which takes you to link [5].

As you start typing the password, the new UI component provides real time feedback, while evaluating the “strength” of the password at the same time, helping the user create a more secure password.

If the password that I select is too short, we see the following:

Screenshot from [6]

As we increase the length of the password, we see the strength of our password as well. Here there are three options: Weak, Good, and Strong.

Screenshots all from [6]

It’s important to note that Gmail doesn’t add any restrictions when it comes to the input space. They do not force the user to use a combination of upper case and lower case letters, digits, and symbols. They instead give a “strength” rating of the password, and let the user proceed as he wishes.


2. Facebook


On Facebook, you are given the option to create a new account directly on their main page, This is what you see: 

Screenshot from [7]

Similarly to Google’s Gmail, we do not see any rules and restrictions concerning the password on this page. Now if we start inputting information into the appearing edit texts, and we get to the password field, unlike Google, we still do not see any feedback whatsoever concerning the password. In the screenshot below, I inputted a password of length 6 (which is supposed to be insecure).

Screenshot from [7]

I continued the account creation process, and at the very final step, after I provided input to the Birthday and Gender fields, and clicked on the Sign Up button, a new UI component appeared below the Sign Up button telling me that I need to choose a more secure password, and that the password had to be longer than 6 characters. The screenshot below shows the component that appeared:

Screenshot from [7]

So the good news is that Facebook did not let me sign up to access their system with a password that’s only six characters long. The bad news however, is that the rules and restrictions were not specified anywhere as I was creating the account, and the feedback only appeared after I had finished inputting all my personal information.


3. Cineplex


When you try to create an account on the cineplex website, you see the following:

Screenshot from [8]

Again… similar to Facebook and Gmail, we do not see any rules and restrictions regarding the password on the initial screen. However, as we start inputting our personal information and we eventually get to the password field, we see the following:

Screenshot from [8]

Now we can see all the rules and restrictions set for the password… which is fine. It appears that the password must be between 6-20 characters in length. It’s not clear whether this is inclusive or exclusive. In other words, I do not know whether a 6 characters password will be accepted or not, perhaps the password must be larger than 6 characters (hopefully, because a length of 6 is not considered secure!). We can also see that the password must contain one uppercase letter, one lowercase letter, and one number or one non-alphanumeric character (e.g. a symbol). So as I started writing down my password, I saw the following:

Screenshot from [8]

The cineplex website was giving me real time feedback in regards to how my password meets the rules and restrictions set by them! Unfortunately, what I had hoped for was not true. Cineplex actually accepts passwords that are 6 characters long, as long as the password met the rules and restrictions that were set.

The feedback UI component appeared as follows, once my password had satisfied all the requirements: 

Screenshot from [8]

I really liked the real time feedback regarding the password that the Cineplex website was providing. It would however probably be a good idea to increase the minimum length requirement set on the password. 


4. GitHub


Similar to Facebook, on, you are directly given the option to create a new account on the main page. The main page looks like the following:

Screenshot from [9]

Note that I drew a red rectangle around the text right below the password edit text field. This is the first website out of the ones that we have already talked about, that actually displays the rules and restrictions relating to the password before we actually “focus” on the password field. Here, it appears that the password must contain at least one lowercase letter, one numeral, and a length of at least seven characters. If I input a password field that is only 6 characters long, which clearly doesn’t meet the set requirements, I’m presented with the following:

Screenshot from [9]

A new UI component appeared, reminding me of the rules and restrictions that I must follow to get a good password.


Observations and Conclusion


So far, we looked at the signing up process on four different websites: Gmail, Facebook, Cineplex, and GitHub. We can see that these websites requested somewhat similar information from the user, such as the first name, the last name, the email address, and so on. All four websites however had different user interfaces when it came to selecting a password. Three of the four websites did not show the password rules and restrictions without a preceding user action, such as focusing on the password edit text field.

One website, Facebook, did not show the rules and restrictions at all, up until the user fully provided all the information needed and clicked on the “Sign Up” button. Based on the images above, it is clear that there is a lack of consistency in terms of how these websites choose to deal with the password creation mechanism.

Unfortunately in this blog post, I was only able to look into and write about 4 different websites. It would be nice to see how other websites deal with this mechanism as well. This process is simple enough that it could be rendered more consistently in the future across different websites.

Personally, I like the user interface set up by Google and by Cineplex the most. In fact, having a UI component that tells the user how his password satisfies the stated rules and restrictions in real time, while at the same time, informing the user how secure their password currently is, would be a perfect choice. In regards to the strength, I find that Google’s scale of “Weak”, “Good”, and “Strong” is excellent.



[1] Password Best Practices. (n.d.). Retrieved February 14, 2016, from

[2] Fox-Brewster, T. (2015, October 28). 13 Million Passwords Appear To Have Leaked From This Free Web Host - UPDATED. Retrieved February 14, 2016, from

[3] Coates, M. (2014, June 4). Safely Storing User Passwords: Hashing vs. Encrypting - Dark Reading. Retrieved February 14, 2016, from

[4] Google Accounts. (n.d.). Retrieved February 14, 2016, from

[5] Creating a strong password. (n.d.). Retrieved February 14, 2016, from

[6] One account. All of Google. (n.d.). Retrieved February 14, 2016, from

[7] Facebook. (n.d.). Retrieved February 14, 2016, from

[8] | Movies, Showtimes, Tickets, Trailers. (n.d.). Retrieved February 14, 2016, from

[9] GitHub. (n.d.). Retrieved February 14, 2016, from

[10] Schneier, B. (2014, March 03). Choosing Secure Passwords. Retrieved February 14, 2016, from

No comments:

Post a Comment