Tips for designing the password login experience

A guide to designing effective authentication and password creation experiences and avoid common pitfalls.

The average person has somewhere in the region of 27 discrete online logins, so it’s no wonder we’re tempted to use the same one for everything.

The design of authentication experiences should support users in breaking this habit and ultimately improve the security of their online data.

Authentication is the entry point for many products and services and getting it wrong is a serious barrier to use. Supporting users through password creation will help to improve security and limit errors further down the line. Here’s my guide to designing effective authentication experiences and for avoiding the common pitfalls.

Provide guidance upfront on the credentials needed to make a suitable password

When creating a password there’s nothing more frustrating than repeatedly finding that your password doesn’t meet the necessary criteria, when you don’t know even what that criteria is.

GoDaddy supports its customers well by providing a list of requirements needed to create a suitable password. As you meet those requirements, the list reduces. Skype on the other-hand offers password support, but it is only shown after the password has been entered, which is likely to result in higher error rates.

Provide two entry fields to type and then confirm the password

Being asked to enter a password twice is now fairly common-place, but don’t under-estimate it’s importance. It’s a device which not only ensures your customer has entered their password correctly but also aids retention.

Apple teams this functionality up with outlining the rules around password creation. Alternatively, a ‘show password’ function can be implemented as seen on eBay. However, this offers less security for those who are in public spaces.

Go beyond basic error messaging

Error messages help customers create stronger passwords, but going beyond the basics can make an authentication process smoother for customers. Don’t just say ‘weak’ for example, explain why e.g. ‘no numbers’ to help resolve the issue.

Sony, for example, provides a clear explanation as to why the entered password is unsuitable, yet Twitter displays an error message which provides no support for resolving the error or what justifies a strong password.

Challenge common password patterns

Consider highlighting common or weak passwords i.e. date of birth or first pet and allow for phrases rather than words (phrases are harder for hackers for guess but its suggested they are in fact easier for us to remember). Also, prompt your customers to change their password every 2-3 months.

Dropbox and Google both offer friendly suggestions for creating passwords that may be harder to guess.

Keeping up with customer expectation

There are a number of new ways of verifying that we are we who say we are beyond a basic password. Some methods cater for certain scenarios better than others and some require more investment but the benefits of some of these ‘new’ methods such as convenience and increased security are strongly worth considering if you are to keep up with evolving user expectations. Examples include:

Social sign in

For many products and services, signing in via social is a convenient way to authenticate users. It only works in scenarios where users are happy to link to social media as linking products and services to social media comes with its own privacy concerns.

Secure links

‘Magic links’ are links sent directly to your email with a unique code or URL. This negates the need to remember a password. Slack sends a ‘magic link’ to your email, allowing for access without having to type in long (or even forgotten) passwords.

Connected devices

This method is proximity based and uses a pre-established connection such as Bluetooth and uses one device to authenticate another e.g. Whatsapp web users can scan a code on their desktop using the Whatsapp app on their mobile, it recognises the user, authenticates them and signs them in on the desktop.


We are becoming the password; our eyes, our fingerprints, our voice, all unique characteristics that authenticate our entry into the digital world. This method removes the need to remember passwords. Consider too the added security benefits, it is hard (although not impossible) to steal biometric data.

Each authentication method comes with its pros and cons. The most appropriate method is dependent upon its application and the data or services it gives access too. Whilst the humble password feels familiar, it is clear that exposure to new technology is changing both customer’s considerations and expectations around security.

Regardless of the method you choose, the sign-in or registration process should be as frictionless as possible and your customers should feel supported and in control of the process at all times. 

Related articles