Retype password field error rates

5 Nov 2010 - 3:48pm
4 years ago
4 replies
2986 reads
cnordling
2010

If I have a 'password' field and a 'retype password' field, how many users will type in mismatching passwords?

Does anyone know a typical error rate?

I need to know this so I can reliably determine how many users got other errors in the password fields due to password rules (not long enough, old password, etc.)

Thanks!

Comments

6 Nov 2010 - 8:05am
James Page
2008

It depends! On who your users are and the context that they are using the app.

A good typist will make an error about 1% of the time per keystroke. For nonsense words, which may be more applicable for password entry this can be as high as 8%. If the user is under stress error rates can be higher than 10%. So you need to look at how long the password is.

Then we have to think about user remembering the password. That will be site dependent, as user will use harder password if the site is storing more secure data.

All the best

James
http://blog.webnographer.com




On 5 November 2010 21:54, cnordling <sansovino2@yahoo.com> wrote:

If I have a 'password' field and a 'retype password' field, how many users will type in mismatching passwords?

Does anyone know a typical error rate?

I need to know this so I can reliably determine how many users got other errors in the password fields due to password rules (not long enough, old password, etc.)

Thanks!

7 Nov 2010 - 7:53pm
Dana Chisnell
2008

I have 2 questions:

1. James, where are you getting these numbers for typing mistakes?

2. @cnordling, Why is there a password in the first place? As Luke Wroblewski pleads with us to remember, creating a username and password is actually the first experience someone has with your site. Does the site *need* a password from users? Think about why that might be. There actually are not a lot of good reasons to have passwords on most web sites. You can see Luke's talk about killing sign-up forms - though remotely related to this issue - here: http://www.lukew.com/presos/preso.asp?25

Some facts about passwords:

  - 90% of users of any system either write down passwords or have some other way of storing them.

  - There are really only about 20 passwords in use. (And most are easy to guess.)

  - People use the same passwords for nearly everything. They don't change them unless they're forced to. When they're forced to, support costs go up.

  - People write down passwords because on average, they have 15 to 25 to manage *on a daily basis*. Some people have many, many more to manage just as a part of their jobs. The point here is that it does no good to consider just the password for *your* app. Instead, you have to consider where your app fits into the world of the user.

  - Implementing strong passwords (many, varied characters) does not necessarily make your site more secure. If it isn't usable because the security rules are too onerous for users, then it isn't secure. Most e-commerce and investment brokerage sites have figured this out.

If you are interested in the research these facts come from, or if you'd like more factoids about usable security, contact me off list at dana AT usablityworks DOT net.

Dana

8 Nov 2010 - 6:05am
James Page
2008

Dana,

1. James, where are you getting these numbers for typing mistakes?

A quick search on google scholar comes up with http://panko.shidler.hawaii.edu/HumanErr/Basic.htm
A scary thing is reading 

A study by Potter (1995) revealed something a bit more shocking. The error rate
for pilots when making entries into an aircraft flight management system, per keystroke is 10%. It is even higher if
there is a heavy workload.

See: http://www.google.co.uk/url?sa=t&source=web&cd=1&sqi=2&ved=0CBkQFjAA&url=http%3A%2F%2Fwww.carrielee.net%2Fpdfs%2FHumanError.pdf&ei=3s7XTKjBF8GDhQf03_mZBQ&usg=AFQjCNHMBPQaqSbzxdP6AOFzZ9liXmPBDw&sig2=HqbIFNYc1E-I7kOHN4YUtw 

Do you need passwords?

Before getting rid of usernames and passwords you do need to consider the legal aspects.  
James 
On 8 November 2010 02:17, Dana Chisnell <dana@usabilityworks.net> wrote:

I have 2 questions:

1. James, where are you getting these numbers for typing mistakes?

2. @cnordling, Why is there a password in the first place? As Luke Wroblewski pleads with us to remember, creating a username and password is actually the first experience someone has with your site. Does the site *need* a password from users? Think about why that might be. There actually are not a lot of good reasons to have passwords on most web sites. You can see Luke's talk about killing sign-up forms - though remotely related to this issue - here: http://www.lukew.com/presos/preso.asp?25

Some facts about passwords:

  - 90% of users of any system either write down passwords or have some other way of storing them.

  - There are really only about 20 passwords in use. (And most are easy to guess.)

  - People use the same passwords for nearly everything. They don't change them unless they're forced to. When they're forced to, support costs go up.

  - People write down passwords because on average, they have 15 to 25 to manage *on a daily basis*. Some people have many, many more to manage just as a part of their jobs. The point here is that it does no good to consider just the password for *your* app. Instead, you have to consider where your app fits into the world of the user.

  - Implementing strong passwords (many, varied characters) does not necessarily make your site more secure. If it isn't usable because the security rules are too onerous for users, then it isn't secure. Most e-commerce and investment brokerage sites have figured this out.

If you are interested in the research these facts come from, or if you'd like more factoids about usable security, contact me off list at dana AT usablityworks DOT net.

Dana

(((Please leave
11 Nov 2010 - 3:56pm
Dana Chisnell
2008

Thanks for the links, James.

I agree that one must review the legal ramifications of whether to even have usernames and passwords before implementing them. My point is that we UXers often don't even question whether they're needed. We just pull down the log on pattern because IT says there must be a log on. There are other ways to make users' data secure besides having them create usernames and passwords. In many cases, the data might be *more* secure if it is properly encrypted on a server rather than relying on end-users to use strong authentication.

Dana

Syndicate content Get the feed