For Returning Users, Overly Strict Password Requirements Can Lead to an 18% Abandonment Rate

When users create an account, they need to set a password. While security is important, during our latest large-scale checkout usability study we also observe that strict password rules can cause an 18.75% checkout abandonment rate among existing account users as they try to sign in.

Hence, overly strict password rules can be a key roadblock to the checkout completion rate, particularly for sites with a large account user base.

“Normally I have some passwords that I use. [..] I think it’s difficult to remember passwords, it’s quite a lot of them you have to remember. That is a pain.[..] And there’s different requirements, and that’s why you can’t remember the passwords,” a test subject lamented when ASOS’s password requirements wouldn’t allow him to use his typical e-commerce password, continuing: “Now I’m here wanting this t-shirt and have to come up with something right here on the spot, so it’s not going to be very well thought through. So I really love that button called ‘I’ve forgot my password’.”

In fact, when we tested existing account users at Amazon and ASOS during our large-scale checkout usability study, we observed that 18.75% of all account users abandoned as they first couldn’t remember their password, and then experienced issues with the “password reset” email.

In this article we’ll therefore cover our research findings on password requirements and password reset implications from our Checkout Usability study, including:

  • How real web users create passwords at e-commerce sites,
  • The impact of e-commerce sites setting overly strict password requirements,
  • Balancing actual security vs. conversion rates in an e-commerce context, and
  • A common pitfall that will cause a 100% abandonment rate among all users that experience “password reset” issues.

How Real Web Users Create Passwords at E-Commerce Sites

During testing, many users specifically mentioned using one password for several e-commerce sites, even while acknowledging that they might be making their online activity less secure by doing so. Users frequently made a distinction between the needed security for an e-commerce account and other more high-priority accounts like PayPal, their email, or bank accounts.

Users often want to reuse a standard password for e-commerce sites they deem to be of “medium” importance, as illustrated by this statement from a test subject: “I’d type one of my passwords. I have multiple. It depends on how important it is. At a site like Wayfair, it’s just a simple code, because it isn’t PayPal or my email account, or stuff like that.”

Below we’ve included just a small collection of quotes from our usability test sessions that illustrate how “normal” web users think about security and how they construct passwords:

  • “I have multiple passwords. It depends on, well, those sites that I don’t think are important but just require a password, there I use the same. But things like PayPal and bank, that is, everything where you can go in and buy stuff directly with my credit card which is stored, and stuff like that – they get their own unique password.”
  • “I have 4 different passwords that I categorize by how important it is. You can say that everything that is related to payment, that is in category 1 or 2. It’s sensitive information that I’d prefer that nobody has access to. But yet, I reuse them at many different sites. But it’s a habit and a way to simplify it.”
  • “Here I’d probably use my standard password that I use for most sites.”
  • “At Amazon it’s actually my standard password, I know because I’ve just signed in.. That’s actually something that I need to consider.. But PayPal, bank and so on, that would be.. depending on how important it is and how personal it is, the passwords get more advanced, but it’s the same I use. I can easily have the same password on 4-5-6 places.”
  • “On Amazon I need a password I can remember because I have to go there again. I don’t know if I going to need that on ASOS. Now I came up with one I can remember here. But then I can see that it is invalid because there aren’t any numbers in it. Well then.. erhmm.. then we have to come up with something.. Okay, so I’ll just add ‘18’..”

So while users are aware of the security implications of reusing their password, many do so in practice – simply to have a password they can actually remember. Also, most users approach different sites with different security needs, affording them a sort of internal “security rating” based on the sensitivity of the information they store. Lastly, users’ standard passwords are sometimes invalidated by a site due to a requirement for including numbers, more characters, or capital letters – users will have to come up with a new password variation “on the fly.”

Once a user creates an account, it is in a site’s interest to both secure their personal information, while also making it easy for users to log in to their account easily.

The Impact of Overly Strict Password Requirements

There are two observed downsides of password requirements that are so strict that they prohibit users’ commonly used passwords:

  1. Users get frustrated with the password creation process itself. While this is frequently observed, we rarely see it causing abandonments, so long as the password requirements are communicated clearly upfront.
  2. When users are forced out of using their “standard” passwords, they later on are very prone to have difficulties remembering it, and, hence, very frequently experience sign in issues on subsequent visits. This is the true cost of imposing more strict password requirements.

The true costs of strict password requirements are very frequent sign in issues on subsequent visits – during testing users relied extensively on the password reset feature, as seen here at Overstock. What should have been a speedy checkout for existing account users often ended up taking longer than a guest checkout would have.

When trying to measure the impact of password requirements, it’s not the account creation completion rate that’s most important to measure, but rather both the sign-in failure rate and the password-reset rate on subsequent site visits. The convenience of having an existing account with a saved address and potentially saved payment information are completely dwarfed by the downsides of the commonly observed flow of:

  1. The user first tries out multiple different passwords, typically starting with lower-level options from their “hierarchy of passwords” and working their way up
  2. If the user has multiple emails, they will then try out multiple password / email combinations
  3. The user finally gives up and instead initiates a password reset
  4. They open their email client in a new tab or application
  5. Then wait for the password reset email to be sent from the site’s outgoing email server and thereafter be processed by their own incoming mail server
  6. From this email they follow a link to set a new password
  7. The user resets their password (which often can’t be the previously used password)
  8. And only then can they return to initiating the checkout

Clearly what should have been an improved checkout experience – with fewer hassles due to the existing account – turns into a more frustrating flow than a regular “guest checkout” for users that cannot remember their password.

The password reset email is the weakest link. Here a patient but frustrated test subject explains after 6 minutes of waiting, and going back and forth to check the email address multiple times, “Uhmm, well. This is frustrating. Really, I’d have to consider if I should buy this, I think I’d consider if there were another place where it should buy it, and then go there. This is super frustrating.”

In particular the password reset-email is the weakest link in the chain. During testing, we frequently observed that password reset emails were several minutes delayed (sending and receiving combined), caught in spam filters, or that the users had issues with signing in to their email account in the first place. Any issue with the password reset process will technically lock the user out of their account, at which point checkout abandonments are very likely.

.. we observed an 18.75% abandonment rate among all account users, all due to “reset email” issues ..

Across all the tested users that tried signing in to their existing private accounts at sites like Amazon and ASOS, we observed an 18.75% checkout abandonment rate among account users, all caused by a forgotten password, followed by “password reset email” issues.

By setting few password requirements – such as only 6 characters, as seen here at Etsy – all users are allowed to set passwords they can remember, which leads to vastly fewer sign-in issues, password reset requests, reset email issues, and ultimately drastically fewer checkout abandonments.

Considering that:

  1. A large proportion of users have standard passwords they use across sites in order to be able to remember them, and
  2. Forgotten passwords, and the subsequent password reset process (where fast email delivery and reception 100% of the time is almost impossible), can cause double-digit abandonment rates among existing account users.

We therefore generally recommend that sites impose the least amount of password requirements allowable, given the information that users store with the site. If sites want to minimize account sign-in and password-reset friction as much as possible, we recommend allowing as little as 6 lowercase letters only – however to do so there are two other security requirements that have to be in place so as not to jeopardize site and user security.

Actual Security vs E-Commerce Conversions Rates

There are obviously significant downsides to loosening security, especially for sites that store sensitive payment data. But we’ve in our research found that for e-commerce sites there’s a middle way that allows us to balance security and checkout usability.

Having few password requirements, like Gilt’s “at least 5 characters” drastically reduces the checkout abandonment rate for account users (as they can set memorable passwords). However, lowering password requirements should only be done if 2 other security measures are in place.

To justify simpler passwords of lower security – without sacrificing overall site security significantly – there are 2 security measures that need to be implemented:

  1. While strong passwords can be particularly important for devices and applications where hackers have unlimited attempts, websites can implement security measures against such attacks by imposing password attempt obstacles and limitations. This removes the potential for brute-force attacks and hence the need for highly complex passwords.
  2. At e-commerce sites we can greatly minimize the consequences of an account breach by not allowing account users to pay with a stored credit card if sending the order to a newly added or edited address (i.e. an address added by a hacker) – without first retyping some of their credit card details. Without the ability to send items to new addresses using a stored credit card, the hacker’s breach of the user’s account becomes less of a security concern, as the severity of the breach is greatly reduced.

When testing Walmart, and the account users edited or added a new shipping address, they were also asked to re-enter their credit card security code, before being able to use the credit card stored on the account. This important security measure greatly reduces the consequences of an account breach, and can justify lowered password requirements.

Those two above security measures combined are central requirements when wanting to lower the password creation requirements at e-commerce sites. While we from a checkout usability (and thus ultimately conversion rate) perspective don’t recommend imposing stricter password requirements than 6 lowercase characters, we recommend that sites still try to nudge their users into safer passwords. For example suggesting an 8-character password, while still allowing users to proceed with a 6-character password.

Note that at the other end of the scale, we also observe a sub-group of users who are very security conscious and who will prefer to use long passwords (12+ characters) or password generator software. To cater to this often tech-savvy group as well, sites should never limit the security or length of a password (i.e. sites should always allow 20+ character passwords, digits, symbols, etc).

Pitfall: Always Allow Users with an Account to Perform a ‘Guest Checkout’

Lastly, to avoid password reset issues from technically locking users out from completing their purchase, it’s vital that account users are always allowed to perform a guest checkout, even if their email is already tied to an existing account.

When sites deny users the ability to perform a guest checkout with an email which is already registered for an account (as seen here at Urban Outfitters), any kind of delay or issues with the password reset process or email is guaranteed to cause practically all users to abandon the site, as they are locked out from purchasing using their email.

The user’s ability to place orders is effectively made entirely dependent on something as unreliable as speedy email delivery.

“That’s my old email address. It’s more than a year since I stopped working there, but out of pure laziness I haven’t changed it. It’s auto-filled in my browser, so it’s been a very long time since I typed it,” a test subject says at Amazon. Not allowing users to perform a guest checkout for an email where an account already exists will lead to 100% abandonment for those users who don’t have immediate access to their email.

If users cannot perform a “guest checkout” with an email that is already tied to an account, then the site in practice forces all users to abandon their purchase if there’s just the slightest delay or issue with the password reset email. This is critical as email delivery is out of the site’s control. Even if the site’s email delivery system has 100% uptime all year and sends out all emails within 5 seconds, account users can still effectively be locked out from purchasing if their email client/server is slow or for some reason blocking or holding back the email.

The user’s ability to place orders is effectively made entirely dependent on something as unreliable as speedy email delivery (and furthermore assumes that all users even have immediate access to their email).

Note that sites that do not even have a guest checkout option (which is still 14% of e-commerce sites) by definition also suffer from this issue of forcing users to abandon their order in case of email delivery issues or delays. (Yet another reason why sites should always have a “guest checkout” option.)

E-Commerce Password Requirements and Reset

Due to the combination of a large proportion of users often having 2-5 standard passwords they reuse across e-commerce sites (to be able to remember them), and because the password reset flow for forgotten passwords is observed to cause as much as an 18% abandonment rate for all account users, we recommend the following for e-commerce sites:

  1. Suggest users create strong passwords, but don’t impose actual password requirements beyond “6 letters” as a minimum
  2. Use 2 security measures to lessen the need for technically strong passwords: A) Impose “roadblocks” after 10-20 subsequent sign-in attempts (within a certain timeframe), and B) Force account-users to re-type any stored credit card information if they want to use a new shipping address or change an existing one
  3. Allow long 20+ character passwords for security-concerned users
  4. Always allow users to do a guest checkout with an email address tied to an existing account

This article presents the research findings from just 1 of the 600+ UX guidelines in Baymard Premium – get full access to learn how to create a “State of the Art” e-commerce user experience.

Authored by Christian Holst on October 18, 2016

If you have any comments on this article you can leave them on LinkedIn

Disclaimer: The above research observations apply to an e-commerce website context. The security impact and the implications of strict password rules may vary substantially for other use cases. Furthermore, even in an e-commerce context, different sites will have varying security needs and tolerances. It’s ultimately your judgement call to determine what the minimum security requirements should be for your particular site.

What we do wish to underscore with this article are the serious checkout usability (and thus conversion rate) consequences strict password requirements can have, and point out that there are additional ways to improve user and site security than long and complicated passwords, and that many of these additional ways are free of those negative usability implications.

Finally, if you do want to impose stricter password requirements, in terms of brute-force attacks, requiring longer passwords will. Our qualitative research observations also support this, showing that users have a much more difficult time remembering their passwords when a site imposes requirements such as numbers or capital-and-lowercase-letter combinations.

User Experience Research, Delivered Twice a Month

Join 37,000+ UX professionals and get a new UX article every second week.

A screenshot of the UX article newsletter