When users create an account, they need to set a password. While security is important, during our latest large-scale checkout usability study we also observe that strict password rules can cause an 18.75% checkout abandonment rate among existing account users as they try to sign in.
Hence, overly strict password rules can be a key roadblock to the checkout completion rate, particularly for sites with a large account user base.
In fact, when we tested existing account users at Amazon and ASOS during our large-scale checkout usability study, we observed that 18.75% of all account users abandoned as they first couldn’t remember their password, and then experienced issues with the “password reset” email.
In this article we’ll therefore cover our research findings on password requirements and password reset implications from our Checkout Usability study, including:
- How real web users create passwords at e-commerce sites,
- The impact of e-commerce sites setting overly strict password requirements,
- Balancing actual security vs. conversion rates in an e-commerce context, and
- A common pitfall that will cause a 100% abandonment rate among all users that experience “password reset” issues.
How Real Web Users Create Passwords at E-Commerce Sites
During testing, many users specifically mentioned using one password for several e-commerce sites, even while acknowledging that they might be making their online activity less secure by doing so. Users frequently made a distinction between the needed security for an e-commerce account and other more high-priority accounts like PayPal, their email, or bank accounts.
Below we’ve included just a small collection of quotes from our usability test sessions that illustrate how “normal” web users think about security and how they construct passwords:
- “I have multiple passwords. It depends on, well, those sites that I don’t think are important but just require a password, there I use the same. But things like PayPal and bank, that is, everything where you can go in and buy stuff directly with my credit card which is stored, and stuff like that – they get their own unique password.”
- “I have 4 different passwords that I categorize by how important it is. You can say that everything that is related to payment, that is in category 1 or 2. It’s sensitive information that I’d prefer that nobody has access to. But yet, I reuse them at many different sites. But it’s a habit and a way to simplify it.”
- “Here I’d probably use my standard password that I use for most sites.”
- “At Amazon it’s actually my standard password, I know because I’ve just signed in.. That’s actually something that I need to consider.. But PayPal, bank and so on, that would be.. depending on how important it is and how personal it is, the passwords get more advanced, but it’s the same I use. I can easily have the same password on 4-5-6 places.”
- “On Amazon I need a password I can remember because I have to go there again. I don’t know if I going to need that on ASOS. Now I came up with one I can remember here. But then I can see that it is invalid because there aren’t any numbers in it. Well then.. erhmm.. then we have to come up with something.. Okay, so I’ll just add ‘18’..”
So while users are aware of the security implications of reusing their password, many do so in practice – simply to have a password they can actually remember. Also, most users approach different sites with different security needs, affording them a sort of internal “security rating” based on the sensitivity of the information they store. Lastly, users’ standard passwords are sometimes invalidated by a site due to a requirement for including numbers, more characters, or capital letters – users will have to come up with a new password variation “on the fly.”
Once a user creates an account, it is in a site’s interest to both secure their personal information, while also making it easy for users to log in to their account easily.
The Impact of Overly Strict Password Requirements
There are two observed downsides of password requirements that are so strict that they prohibit users’ commonly used passwords:
- Users get frustrated with the password creation process itself. While this is frequently observed, we rarely see it causing abandonments, so long as the password requirements are communicated clearly upfront.
- When users are forced out of using their “standard” passwords, they later on are very prone to have difficulties remembering it, and, hence, very frequently experience sign in issues on subsequent visits. This is the true cost of imposing more strict password requirements.
When trying to measure the impact of password requirements, it’s not the account creation completion rate that’s most important to measure, but rather both the sign-in failure rate and the password-reset rate on subsequent site visits. The convenience of having an existing account with a saved address and potentially saved payment information are completely dwarfed by the downsides of the commonly observed flow of:
- The user first tries out multiple different passwords, typically starting with lower-level options from their “hierarchy of passwords” and working their way up
- If the user has multiple emails, they will then try out multiple password / email combinations
- The user finally gives up and instead initiates a password reset
- They open their email client in a new tab or application
- Then wait for the password reset email to be sent from the site’s outgoing email server and thereafter be processed by their own incoming mail server
- From this email they follow a link to set a new password
- The user resets their password (which often can’t be the previously used password)
- And only then can they return to initiating the checkout
Clearly what should have been an improved checkout experience – with fewer hassles due to the existing account – turns into a more frustrating flow than a regular “guest checkout” for users that cannot remember their password.
In particular the password reset-email is the weakest link in the chain. During testing, we frequently observed that password reset emails were several minutes delayed (sending and receiving combined), caught in spam filters, or that the users had issues with signing in to their email account in the first place. Any issue with the password reset process will technically lock the user out of their account, at which point checkout abandonments are very likely.
.. we observed an 18.75% abandonment rate among all account users, all due to “reset email” issues ..
Across all the tested users that tried signing in to their existing private accounts at sites like Amazon and ASOS, we observed an 18.75% checkout abandonment rate among account users, all caused by a forgotten password, followed by “password reset email” issues.
- A large proportion of users have standard passwords they use across sites in order to be able to remember them, and
- Forgotten passwords, and the subsequent password reset process (where fast email delivery and reception 100% of the time is almost impossible), can cause double-digit abandonment rates among existing account users.
We therefore generally recommend that sites impose the least amount of password requirements allowable, given the information that users store with the site. If sites want to minimize account sign-in and password-reset friction as much as possible, we recommend allowing as little as 6 lowercase letters only – however to do so there are two other security requirements that have to be in place so as not to jeopardize site and user security.
Actual Security vs E-Commerce Conversions Rates
There are obviously significant downsides to loosening security, especially for sites that store sensitive payment data. But we’ve in our research found that for e-commerce sites there’s a middle way that allows us to balance security and checkout usability.
To justify simpler passwords of lower security – without sacrificing overall site security significantly – there are 2 security measures that need to be implemented:
- While strong passwords can be particularly important for devices and applications where hackers have unlimited attempts, websites can implement security measures against such attacks by imposing password attempt obstacles and limitations. This removes the potential for brute-force attacks and hence the need for highly complex passwords.
- At e-commerce sites we can greatly minimize the consequences of an account breach by not allowing account users to pay with a stored credit card if sending the order to a newly added or edited address (i.e. an address added by a hacker) – without first retyping some of their credit card details. Without the ability to send items to new addresses using a stored credit card, the hacker’s breach of the user’s account becomes less of a security concern, as the severity of the breach is greatly reduced.
Those two above security measures combined are central requirements when wanting to lower the password creation requirements at e-commerce sites. While we from a checkout usability (and thus ultimately conversion rate) perspective don’t recommend imposing stricter password requirements than 6 lowercase characters, we recommend that sites still try to nudge their users into safer passwords. For example suggesting an 8-character password, while still allowing users to proceed with a 6-character password.
Note that at the other end of the scale, we also observe a sub-group of users who are very security conscious and who will prefer to use long passwords (12+ characters) or password generator software. To cater to this often tech-savvy group as well, sites should never limit the security or length of a password (i.e. sites should always allow 20+ character passwords, digits, symbols, etc).
Pitfall: Always Allow Users with an Account to Perform a ‘Guest Checkout’
Lastly, to avoid password reset issues from technically locking users out from completing their purchase, it’s vital that account users are always allowed to perform a guest checkout, even if their email is already tied to an existing account.
The user’s ability to place orders is effectively made entirely dependent on something as unreliable as speedy email delivery.
If users cannot perform a “guest checkout” with an email that is already tied to an account, then the site in practice forces all users to abandon their purchase if there’s just the slightest delay or issue with the password reset email. This is critical as email delivery is out of the site’s control. Even if the site’s email delivery system has 100% uptime all year and sends out all emails within 5 seconds, account users can still effectively be locked out from purchasing if their email client/server is slow or for some reason blocking or holding back the email.
The user’s ability to place orders is effectively made entirely dependent on something as unreliable as speedy email delivery (and furthermore assumes that all users even have immediate access to their email).
Note that sites that do not even have a guest checkout option (which is still 14% of e-commerce sites) by definition also suffer from this issue of forcing users to abandon their order in case of email delivery issues or delays. (Yet another reason why sites should always have a “guest checkout” option.)
E-Commerce Password Requirements and Reset
Due to the combination of a large proportion of users often having 2-5 standard passwords they reuse across e-commerce sites (to be able to remember them), and because the password reset flow for forgotten passwords is observed to cause as much as an 18% abandonment rate for all account users, we recommend the following for e-commerce sites:
- Suggest users create strong passwords, but don’t impose actual password requirements beyond “6 letters” as a minimum
- Use 2 security measures to lessen the need for technically strong passwords: A) Impose “roadblocks” after 10-20 subsequent sign-in attempts (within a certain timeframe), and B) Force account-users to re-type any stored credit card information if they want to use a new shipping address or change an existing one
- Allow long 20+ character passwords for security-concerned users
- Always allow users to do a guest checkout with an email address tied to an existing account