Two hundred and too many accounts
A journey through a path of bad UI design and poor UX
The first time I read about a data breach at a service I was actively using, I didn’t pay too much attention. I was concerned, of course, but I didn’t have any sensitive data that would cause damage if leaked. At some point, the breached company toned down the threat saying that the leaked data contained just emails and password hashes and these couldn’t be used to steal user data but forced the users to change their passwords anyway.
Around that time, Have I Been Pwned was created.
I have been using HIBP ever since and every time I read about a data breach I went and checked to see if my email was part of the leaked accounts. More often than not it was and every time I’d go to the breached service and update my password, still not really concerned since the leaked passwords were hashed (or so they said). They couldn’t really decrypt my password, could they? Maybe not, but they didn’t need to. This happened a few more times over the years and every time the process was the same: change the password on the breached service.
One day I received an email from Spotify, informing that my email was updated. It was strange because I hadn’t made any changes to my account. The new email was the same as the old one, but instead of ending with .com it ended with .co. That didn’t look good so I tried to login to my Spotify account only to see an Invalid Login message. The app on my phone was logged out and an attempt to login had the same result. My account was hacked. But how? No idea. Yet. I exchanged Twitter messages and emails with the Spotify support team and was able to regain control over my account quite fast (thanks Spotify support). Once I got my account back I changed my password and life wen on…
…Until the day I received another email, this time from Evernote, saying they reset my password because they detected suspicious activity on my account. I reset the password and got my account back.
At that point I was concerned. Two hacking attempts on two non-related accounts in a short spam of time was not something to let slip. That is when I realized something.
Like many people out there, I had a small set of passwords that were used across different services. Say one or two passwords that were used with some small variations — sometimes it was an added number or special symbol. Most of the times, however, the same password was used in multiple services. Now, this is a huge no-no. Don’t EVER do that.
What I believe happened was that someone was able to decrypt or guess one of my leaked passwords and, with that information, they tried to get access to my accounts on popular services. When I realized that, I saw that I was potentially in danger. That small set of passwords was shared between non-critical services like bookmark managers to highly critical services like online bank accounts and credit cards. Now, my passwords were not trivial to guess and were quite complex (or so I thought). Quick note: This service calculates a password’s entropy and helps determine if a password is complex enough.
I was fucked and I had to do something about it.
Password manager to the rescue
The obvious thing to do was to change ALL my passwords in EVERY service I had an account. The basic requirement was that I couldn’t reuse passwords and the complexity should be high enough to be virtually impossible to be cracked. It would’ve been impossible to remember all password in that case so I needed something to help me in this task. After some research, I decided to use a password manager and 1Password was the winner. I will not get into details about it but there are many good reviews online.
The list of services with accounts were spread across browser saved logins and Google Sheets that I consolidated all in one place. The first thing I noticed was that I’d never realized how many accounts I actually had. Seriously. Two hundred and too many. Many of them I probably only logged in once and never used again.
I took a deep breath, opened the web browser and navigated to the first URL in the list.
The journey begins
What started as a simple task ended up as an exercise of patience. Changing your password should be as easy as logging in to your account, clicking settings or whatever they call it, type the new password, retype it, submit, and done.
But I’d realized that people can overlook a very simple use case. I won’t try to guess why is that, but I will list some of the worst things I’ve found.
No indication of the expected pattern to be used
You are presented with an empty text box to type the new password. There is a label to this text box saying “New Password” but that’s it. You type you new randomly generated password with letters, numbers and special characters just to see an error message saying that a character is not supported, but it doesn’t say which character (or group of). You start by removing special characters, then numbers, then lower case, upper case, until one time it works.
Maximum length is not shown to the user
You create a new password with shinning 64 characters, maybe a little less, and type it (paste it, actually, because there is no chance you will type 64 characters that you won’t have to remember anyway), click the confirmation button only to see the red text saying that your password shouldn’t exceed x characters. Well, at least now you know that you need to remove a few characters and try again.
But these were the (almost) good citizens. I’ve found a few more that were just bizarre. Like more than a couple that complained that the password was too long without specifics and I had to figure out by myself either by try and error or by opening the page source and inspecting the text box.
At least two of them didn’t restrict the maximum length but the login form did, meaning that my new password was no longer useful and I had to use the “forgot password” option. Or the ones where the “New Password” didn’t have a maximum length (and sometimes no validation at all) but the “Re-type the new password” field had all that.
Last, one website said it allowed 20 characters for the password but failed if it had more than 19. Go figure.
Your password was updated. Nah, just kidding
I changed my password, got the message that the password was successfully updated, logged out and when trying to login again, a big error message saying Invalid Login. I wish I could say it happened on one website but unfortunately it was more than that. How I was able to change my password? By using the “Forgot Password” option.
In a variation of this elaborated process, the website of a big retailer that sells stuff for home improvement did something along those lines. It allowed me to change my password and logged me out of my account afterwards. I couldn’t login using the new password though; I had to use the old one. I tried it a bunch of times until I got to the point of using a shorter password with only numbers and letters. Once I did that, I was logged out but this time I received an email informing of the change. What I suspect is that there was no validation in the form, or at least it didn’t work when using Firefox. Either way, this is another example of how not to do it.
No password is good enough
Everything looked perfect: there was indication of the pattern that should be used, minimum and maximum length, and a password strength indicator. Easy, I thought, until I clicked the confirmation button. No matter what password variation I tried, every time I pressed that button, I would see a message saying “Your password is too weak”. I even tried it on different browser (Chrome, Firefox, and Safari), to no avail. The solution? Again, “Forgot your password?"
You shall not paste!
I believe this is an attempt to make sure the user remembers the password it’s typing. Perhaps it is to make sure that if the user copied the wrong version of the password they will notice it when typing in the confirmation. Some people will tell you that a good password is a password you can’t remember. Others will tell you that you need to create a password that is complex enough but easy to remember. Something like this. Whatever the case, not being able to paste the password is inconvenient, specially if you password has 64 random letters and numbers and special characters that you will never have to remember (thanks to the password manager). The auto fill option of the password manager solved this problem most of the times, but there was this one website where I actually had to type all 32 characters of the password (reduced from 64 after confirming there was no workaround).
Change what?
Some websites didn’t even bother to provide the user an option to change the password. One went to the extreme of not even providing a Forget Password option. Guess they didn’t want to make the same mistakes the others did and end up in some blog post that complains about how changing a password is a bad experience most of the time.
Final thoughts
As bad as the experience was, it wasn’t the majority. About 30 out of two hundred and something websites had a really bad usability and/or UI when changing passwords. Still, it required more work than expected and sometimes I had to be a little creative to overcome the complexities. I am a technical person and was able to find workarounds for the issues I’ve found but someone that doesn’t have the same background might not be able to change passwords by themselves and depend on the support — which is not always available — or just give up.
Considering that data breaches are a real thing, changing a password should be a task easy to accomplish and that includes allowing the users to create strong passwords. Limiting the length to 10 or 12 characters is not ideal even if a 12-characters password is moderately safe. Forcing a minimum length is mandatory, but leave the maximum flexible. Keep in mind that a password’s entropy is directly related to its length.
Cover picture by Ruben Mishchuk via Unsplash