Weak passwords don't suck, all passwords do.

The Neilson Norman Group recent released some guidance for mobile forms (https://www.nngroup.com/articles/checklist-registration-login/) and I find myself agreeing with most of what they list as best practices, save for one. Strength Meters. Here’s some of the list from NNG:




Budiu and I agree on the number one point completely that most services that ask you to have an account actually don't need, but rather want to have a discreet record for you. This still feels like a new idea even though it's the oldest one. If you have a web or mobile app that you think needs an account, you should really explore every possible avenue for not having to create one from the start.

As for strength meters, they suck for all the ways that password requirements suck. It creates a relationship where someone is trying to both create and parse a judgement about that creation in real time. They’re also incredibly fickle, often a password will toggle from weak to strong only at the end when someone decides to tack on a special character. Imagine trying to dictate something to an ambient computer and having it give you negative feedback throughout your speech, only to (usually suddenly) tell you that it flipped it’s opinion from negative to positive.

Strength meters may promote someone to enter in a strong password, but it can’t account for human habits, like reusing the same password everywhere. People with password managers frequently know about and already account for concepts like password security and may even generate unique passwords for individual sites, so a strength meter is often an excessive design element that sits firmly between two groups who often have already formed habits and wont sway them in one direction or the other.

We keep dancing around a few key problems with software and the web that are difficult to address. Those are that we have real data security problems, most people don't want to remember big long and complex passwords,

As we march toward the future of ambient computing, passwords will continue to confound us unless we address other, more personal, and easy ways to authenticate our identities with fingerprints, face recognition, and other technologies. A voice only interface simply feels dumb asking us for complex password and making us dictate special characters out loud in order to reach what will be services with no other interface.

Until people stop making us create accounts unless it’s absolutely necessary, we can better leverage new technologies, and interfaces are still built around having access to a keyboard, I guess we’re doomed to traffic light strength indicators on all of our sign up forms.