When users create an account, they need to set a password. While security is important, during our latest large-scale checkout usability study we also observe that strict password rules can cause an 18.75% checkout abandonment rate among existing account users as they try to sign in.
Hence, overly strict password rules can be a key roadblock to the checkout completion rate, particularly for sites with a large account user base.
In fact, when we tested existing account users at Amazon and ASOS during our large-scale checkout usability study, we observed that 18.75% of all account users abandoned as they first couldn’t remember their password, and then experienced issues with the “password reset” email.
In this article we’ll therefore cover our research findings on password requirements and password reset implications from our Checkout Usability study, including:
During testing, many users specifically mentioned using one password for several e-commerce sites, even while acknowledging that they might be making their online activity less secure by doing so. Users frequently made a distinction between the needed security for an e-commerce account and other more high-priority accounts like PayPal, their email, or bank accounts.
Below we’ve included just a small collection of quotes from our usability test sessions that illustrate how “normal” web users think about security and how they construct passwords:
So while users are aware of the security implications of reusing their password, many do so in practice – simply to have a password they can actually remember. Also, most users approach different sites with different security needs, affording them a sort of internal “security rating” based on the sensitivity of the information they store. Lastly, users’ standard passwords are sometimes invalidated by a site due to a requirement for including numbers, more characters, or capital letters – users will have to come up with a new password variation “on the fly.”
Once a user creates an account, it is in a site’s interest to both secure their personal information, while also making it easy for users to log in to their account easily.
There are two observed downsides of password requirements that are so strict that they prohibit users’ commonly used passwords:
When trying to measure the impact of password requirements, it’s not the account creation completion rate that’s most important to measure, but rather both the sign-in failure rate and the password-reset rate on subsequent site visits. The convenience of having an existing account with a saved address and potentially saved payment information are completely dwarfed by the downsides of the commonly observed flow of:
Clearly what should have been an improved checkout experience – with fewer hassles due to the existing account – turns into a more frustrating flow than a regular “guest checkout” for users that cannot remember their password.
In particular the password reset-email is the weakest link in the chain. During testing, we frequently observed that password reset emails were several minutes delayed (sending and receiving combined), caught in spam filters, or that the users had issues with signing in to their email account in the first place. Any issue with the password reset process will technically lock the user out of their account, at which point checkout abandonments are very likely.
.. we observed an 18.75% abandonment rate among all account users, all due to “reset email” issues ..
Across all the tested users that tried signing in to their existing private accounts at sites like Amazon and ASOS, we observed an 18.75% checkout abandonment rate among account users, all caused by a forgotten password, followed by “password reset email” issues.
We therefore generally recommend that sites impose the least amount of password requirements allowable, given the information that users store with the site. If sites want to minimize account sign-in and password-reset friction as much as possible, we recommend allowing as little as 6 lowercase letters only – however to do so there are two other security requirements that have to be in place so as not to jeopardize site and user security.
There are obviously significant downsides to loosening security, especially for sites that store sensitive payment data. But we’ve in our research found that for e-commerce sites there’s a middle way that allows us to balance security and checkout usability.
To justify simpler passwords of lower security – without sacrificing overall site security significantly – there are 2 security measures that need to be implemented:
Those two above security measures combined are central requirements when wanting to lower the password creation requirements at e-commerce sites. While we from a checkout usability (and thus ultimately conversion rate) perspective don’t recommend imposing stricter password requirements than 6 lowercase characters, we recommend that sites still try to nudge their users into safer passwords. For example suggesting an 8-character password, while still allowing users to proceed with a 6-character password.
Note that at the other end of the scale, we also observe a sub-group of users who are very security conscious and who will prefer to use long passwords (12+ characters) or password generator software. To cater to this often tech-savvy group as well, sites should never limit the security or length of a password (i.e. sites should always allow 20+ character passwords, digits, symbols, etc).
Lastly, to avoid password reset issues from technically locking users out from completing their purchase, it’s vital that account users are always allowed to perform a guest checkout, even if their email is already tied to an existing account.
The user’s ability to place orders is effectively made entirely dependent on something as unreliable as speedy email delivery.
If users cannot perform a “guest checkout” with an email that is already tied to an account, then the site in practice forces all users to abandon their purchase if there’s just the slightest delay or issue with the password reset email. This is critical as email delivery is out of the site’s control. Even if the site’s email delivery system has 100% uptime all year and sends out all emails within 5 seconds, account users can still effectively be locked out from purchasing if their email client/server is slow or for some reason blocking or holding back the email.
The user’s ability to place orders is effectively made entirely dependent on something as unreliable as speedy email delivery (and furthermore assumes that all users even have immediate access to their email).
Note that sites that do not even have a guest checkout option (which is still 14% of e-commerce sites) by definition also suffer from this issue of forcing users to abandon their order in case of email delivery issues or delays. (Yet another reason why sites should always have a “guest checkout” option.)
Due to the combination of a large proportion of users often having 2-5 standard passwords they reuse across e-commerce sites (to be able to remember them), and because the password reset flow for forgotten passwords is observed to cause as much as an 18% abandonment rate for all account users, we recommend the following for e-commerce sites:
This article presents the research findings from just 1 of the 850+ UX guidelines in Baymard Premium – get full access to learn how to create a “State of the Art” cart and checkout user experience.
Join 22,000+ readers and get Baymard’s research articles by RSS feed or
Topics include user experience, web design, and e-commerce
Articles are always delivered ad-free and in their full length
1-click unsubscribe at any time
I experience this all the time! Particularly frustrating is that often, as soon as I see the requirements for generating a password, it becomes easy to regenerate the original password (i.e. adding a capital letter and punctuation, but not a number) and if that information had been available when I was trying to check in, I wouldn’t even have needed to reset.
I get that it could be a slight reduction in security to post that publicly on the login page, but it does seem relevant to this article!
Indeed, dealing with overly strict passwords is so frustrating! many times I give up even the sign-up phase, knowing that anyhow I will not remember that instant fabricated password. :)
Thanks for sharing the article, Luiz! I enjoyed reading it. Going now to share it with my network.
Any thoughts on low security password and two step?
Great article, this is overlooked on so many retail sites. My particular bugbear is sites that have stringent password requirements but don’t tell you until after validation.
I’m not sure lowering security is the best approach to improve UX. After all, a breached account is the worst UX imaginable for most users. So the second extra requirement, which is essetially damage control in case of a breach, doesn’t justify lowering security.
A simple 2FA (two-factor authentication) flow is a far better approach, for example sending and email, a SMS or even both to the user.
There are event sites that don’t use passwords at all and just send a login link via email. That’s still reasonably secure and dead simple (if the email is delivered quick enough)
© 2021 Baymard Institute US: +1 (415) 315-9567 EU: +45 3696 9567 firstname.lastname@example.org