Summary: Create designs that capitalize on what we know about human memory. Help people remember passwords by encouraging them to: focus when creating, and rehearse; choose passwords that relate to important events, are chunked, have limited characters, and can be articulated in 2 seconds.

Imagine you went on vacation for two glorious weeks. Upon return you are energized with ideas you are raring to share in your project database. You switch on your computer and are prompted for your password. You have no idea what it is, and the post-it note you had previously affixed to your monitor is gone. You begin the familiar dance of switching the order of names of your kids and their birthdays until you are ultimately blocked and must now reset the password. Answering the challenge questions, you’re surprised that your favorite movie is no longer “Silence of the Lambs”, and you forget whether your answer to the “your first car” prompt is that borrowed Gremlin you drove first, the used Nova you owned first, or the new Toyota Camry you bought first. But you press on, rushing through creating a new password. You immediately open the project database only to find that you have forgotten half of the ideas you had, and you have kicked off your first week back to work with a negative undertone—just because you forgot your password.

Many people who encounter these nuisances or even more debilitating scenarios consider the password to be a nosy bodyguard: inconvenient yet a respected protector. We can blame 2 major UX-related roadblocks: passwords are difficult to (1) create, and (2) remember.

Over the years, the usability of creating passwords that meet strict requirements has improved somewhat as the following innovations were introduced:

Informing people about the password requirements before password creation. Reminding people of these rules during password creation. Complex requirements tax the human mind’s short-term memory; in other words, they are hard to remember. So always displaying the password-format rules can save users from having to keep these rules in their working memory, so they can create a password that is acceptable to the system. Showing real-time password feedback (such as strength meters) when users create their passwords. This type of formative feedback makes users aware of how much their partially created password adheres to the rules. Many designs also judge the secureness of the password, from weak to strong, to help people create safer passwords. Some designs also foray into gamification, by giving people goals and small affirmations as they type and encouraging them to attain more or all possible confirmations that the system has to offer (such as a big checkbox next to each requirement, and a red to green strength barometer with signposts “weak” to “strong”.)

These are all effective UI-design tactics in password creation, and help to solve issues that I repeatedly observe in research studies: meeting the password requirements, recalling or recognizing the requirements, and creating stronger (safer) passwords.

As good as these designs are, there is a calamitous omission in them. They are so focused on getting past the creation phase that none of them help people remember passwords. In fact, some of these designs actually hamper the memory-retrieval process.

Forgetting Passwords Instigates Serious Issues

We may decide that making strong passwords is more important than remembering those passwords. However, forgetting a password causes serious issues to individuals and organizations, including the following:

Security breach: When people think they won’t be able to recall a password, they write the passwords down. Common places where they store these? On a post-it note stuck on the computer monitor, under the mousepad, under the keyboard, in a top drawer, saved in their phone, and in a document or email on the computer. Some of these places are relatively safe, but more are not.

When people think they won’t be able to recall a password, they write the passwords down. Common places where they store these? On a post-it note stuck on the computer monitor, under the mousepad, under the keyboard, in a top drawer, saved in their phone, and in a document or email on the computer. Some of these places are relatively safe, but more are not. User frustration: Being challenged prevents people from proceeding and being successful, takes away control, and makes them feel inept. And if the disruption occurs at the very start of the session, people begin their experience negatively. All of these things combined make for a very unpleasant user experience.

Being challenged prevents people from proceeding and being successful, takes away control, and makes them feel inept. And if the disruption occurs at the very start of the session, people begin their experience negatively. All of these things combined make for a very unpleasant user experience. Time and money wasted, sales lost: Nonproductive time occurs when users are wasting time trying to log in instead of focusing on their goals. Here are some examples of what can go wrong for the users: Being blocked from completing their workflow. As a result, their focus is broken and they must tend to the system instead of the content or work they were doing or planning to do. Repeatedly trying to guess their password. Possibly using too many attempts and being locked out of the system, punished for a time that the organization deems adequate. Dealing with challenge questions whose answers (or answer formats) they may have forgotten. Contacting a helpdesk to retrieve or reset their password. Waiting for the password to be reset. Leaving a website or application because they can’t or won’t deal with password retrieval.

Nonproductive time occurs when users are wasting time trying to log in instead of focusing on their goals. Here are some examples of what can go wrong for the users: Helpdesk time monopolization: Paying staff to deal with password resets is a hefty cost in enterprise computing.

Opportunity cost: Consider all the other work or activities people (including customers and your own IT and helpdesk staff) could be doing instead of dealing with lost passwords. The notion of opportunity cost is one of the most underrated business concepts in UX design. Increased efficiency means less wasted time and more time spent on the right things for the organization.

Some systems help people retrieve a forgotten password by answering personal questions, such as the “name of the street you grew up on”, or “your first pet’s name”. These can help, but they too can be problematic if users forget their answers or the specific way in which they entered their answers. For example, you may answer the question, “What’s your favorite sports team?” as “The Boston Red Sox.” But when asked to answer the same question months later (and after you forgot your password), you may write, “The Red Sox”, “Red Sox”, “the red sox”, “the sox”, or my favorite “RedSoxRule!”. Ironic that the help for a particular problem suffers its same limitations.

How People Remember Passwords: A Look at Memory

Information first enters human memory through encoding, then it gets stored, then, later on, we remember it through retrieval. All these processes influence the activation of information in memory and how fast and easily that information will be remembered.

If we want to be able to recall passwords better, we need to do a better job of encoding them. Psychologists have studied human memory at length and have come up with many methods that help people better encode and remember information. Below are a few of them with recommendations for how to design with them in mind.

Help Users Pay Attention When They Create Passwords

We usually blame age or stress (or in rare cases, neurological disorders) as password roadblocks. And these are certainly culprits, but often the issues are related to something far more basic: paying attention.

Before people can remember something, they first have to perceive it and register it. Basically, they have to focus on what they are doing and not give in to distractions. How much they concentrate on what they are doing is an extremely important factor in whether they will actually remember it later.

One of the reasons for which passwords are easily forgotten is that at the time when people create them, people usually have a completely different goal in mind. Creating a password is an obstacle to pass in order to reach their real goal. People usually try to rush past this hurdle, which is counter to being engaged, focused, and eliminating disturbances.

One potential UI solution could be to stop people in their tracks with a modal dialog telling them to halt and pay attention, but this would be very annoying. Instead, the design can help people focus more on the task of creating a password in these ways:

Eliminate distractions: Don’t include promotions, and consider using a lightbox or a page with no content except password-related information. This will help people to completely focus on creating and remembering the password.

Don’t include promotions, and consider using a lightbox or a page with no content except password-related information. This will help people to completely focus on creating and remembering the password. Encourage people to pay attention to the passwords as they create them. Add a short sidebar tip about how to remember the passwords.

Add a short sidebar tip about how to remember the passwords. Make suggestions that will help them choose a memorable password, and offer examples. For example, if the password should be changed often (such as weekly) recommend that users create a password using a phrase that matters to them this week (possibly something personal but not easy for others to guess). String the words and numbers together to meet password requirements. Offer examples, such as: You are not sure if your good friend Hannah's birthday is January 19 and you have to check. Make your password: Jan19HannahBDay? You looked in your yard after a long winter and saw 3 beautiful pink tulips fighting the raw New England Spring. This made you hopeful. Make your password this week: 3TulipsBloomed! Window washing keeps moving to the bottom of the list of household chores, but you made a pact with yourself that you will wash 10 windows this week. Make your password: Wash10Windows. You are selling your truck. The going rate for a truck like yours seems to be $6,000, which is an acceptable amount to you. Make your password: SellDodge$6K.

that will help them choose a memorable password, and offer examples. For example, if the password should be changed often (such as weekly) recommend that users create a password using a phrase that matters to them this week (possibly something personal but not easy for others to guess). String the words and numbers together to meet password requirements. Offer examples, such as: At less busy times, encourage people to reset passwords. Suggest a password change at moments when people are focused on updating their settings, and possibly at other times when they are less focused on a particular task. Add a tip about changing and remembering their password in the Settings area, and in your email newsletter. And if the app or website has a “tip of the day” feature, create some password memory tips. Tip example: Make sure you remember your password. Use a phrase that is important to you now, like: Aug1SharkTour!

Suggest a password change at moments when people are focused on updating their settings, and possibly at other times when they are less focused on a particular task. Add a tip about changing and remembering their password in the Settings area, and in your email newsletter. And if the app or website has a “tip of the day” feature, create some password memory tips. Tip example: Make sure you remember your password. Use a phrase that is important to you now, like: Aug1SharkTour! Encourage people to create their own password guidelines. Users don’t just need a password, they need a framework for all of their passwords. Passwords they will keep for only a day or a week can especially benefit from guidelines, such as: Capitalize the first letter of all words in the phrase, and make the rest of the words lowercase. Add punctuation at the end of the phrase. Avoid punctuation, such as apostrophes, within the phrase. Always use a digit instead of the word, so 8 instead of eight.

Users don’t just need a password, they need a framework for all of their passwords. Passwords they will keep for only a day or a week can especially benefit from guidelines, such as: Offer tips at both the password creation phase, and on the dialog(s) that appear after the user forgets his password. Add a link called “How to remember your password” or a sidebar called “Tips for remembering your password”. Then hit them with this information when it hurts: after they have forgotten the password and gone through the pain of answering challenge questions or getting locked out.

Just a Few Words and Digits

Shorter is usually easier to remember than longer.

Recommend that users keep their passwords short and strong. Since most passwords need to contain numbers, capital letters, and punctuation; suggest password examples with 3 lower-case letters, 1 digit, 2 or 3 capital letters, and 1 punctuation mark .

Since most passwords need to contain numbers, capital letters, and punctuation; suggest password examples with . Recommend that passwords be short enough to say in 2 seconds. A classic memory study (Baddeley, Thompson, and Buchanan, 1975) looked at memory for a list of words in relation to the amount of time it takes to say the words in the list out loud. It turned out that it was easier for people to remember a list such as wit, sum, harm, bay, top than university, opportunity, aluminum, constitutional, auditorium. People could recall the amount of words that could be said in about 2 seconds.

Chunk It

Chunking is a popular and effective memory technique in which small pieces or information are divided into larger memorable groups.

One of the most famous memory studies is Miller’s “Magical Number Seven” (Miller, 1956). Miller reviewed several published memory experiments and determined that, when shown lists of elements of various length, most people could roughly remember 7 (plus or minus 2) elements. But Miller’s insight was that while people could remember only about 7 letters from a random sequence of letters, their memory span could suddenly be increased to 21 letters (corresponding to 7 words that consist of 3 letters) when they were shown a random sequence of 3-letter words. So what mattered for memory was not the amount of information (number of letters) per se, but the number of meaningful chunks. People could remember more information if it was appropriately structured in chunks.

A password with meaningful chunks such as The;Capital;Of;Scotland;Is;Edinburgh is going to be easier to remember than uapTCei;Ih;ttrghafOl;SEbdn;dnal;cos.

Using chunking with passwords maybe be difficult for some people because there are no standard characters, such as dashes, used to visually separate the chunks or numbers or words. While some people can do fine with no separator (such as, “mypasswordisthis”), others may be stymied. In my example above, I used capitalization and semicolons to separate the words. One technique you can recommend people do is to capitalize every word in the phrase, for example:

3TulipsBloomed!

Wash10Windows

Jan19HannahBDay?

Or as part of their own personal guidelines, they may always use an ampersand, for example, in lieu of spaces.

Meaningful

People tend to be better at remembering things that are significant to them than they are at remembering things that are not meaningful, mainly because they can connect the information to related material that is already stored in their long-term memory. The more associations an item has to other well-known facts in our background knowledge, the easier it will be to retrieve that item.

People naturally choose personal information when creating passwords, sometimes so personal—pets’ names, a wedding anniversary and street address—that they become easy to infer and mar the system’s security. But we can encourage people to instead use details that are not easy to guess, such as a special story. For example: I took my Cairn Terrier Columbo kayaking. I wasn’t sure if I would be able to paddle with him sitting in the bow of the vessel, but we traveled 4 nautical miles together. Make the password: ColumboPaddled4:)

If a story is difficult to shorten, users could use a mnemonic instead. For example, you were golfing at The Breakers and actually got a hole in one on the 15th hole. You’ll never forget that. Make your password: TBHI115!

Recommend users to select passwords related to a story important to them.

Repetition

We all know that “practice makes perfect” and “repetition is the mother of learning.” The more we practice an item, the better we can remember it. Rehearsing is a memory technique in which people mentally repeat items.

For passwords, once created, we usually only need to recall them when we attempt to log in. This may be too late: by the time we need the password, we may have already forgotten it. We could spot-quiz users while they are on the website or in the app, but while this might reinforce password memory, it would be completely disruptive and bothersome. Instead we can recommend that users rehearse the password when they first create it. Tip example: To help yourself remember this password, say it to yourself three times now.

Upon password creation, or after the user forgets and needs to create a new password, suggest in tips that they at least mentally repeat the password to themselves 3 times.

Password-creation designs usually ask people to enter their passwords twice, mainly to ensure that there are no typos. But there is a positive byproduct to that second entry: It is a small form of rehearsal. Since the interaction cost of entering the new password a second time on a phone is quite high, we recommend instead asking for the new password only once, but displaying the password characters as they are entered.

For desktop and tablet interfaces, ask users to enter the password twice when they are creating it. But since the interaction cost of entering passwords on a phone is so great, ask for the password only one time in the phone UI, but display the characters as users type them so they may check for errors and encode the password.

See the Password

Memories for each of our 5 senses—sight, smell, hearing, taste, and touch—are stored in different areas of the brain. These redundancies help people recall multiple pieces of information based on just one cue, and this cross-referencing helps us learn.

Upon password creation, or after the user forgets and needs to create a new password, suggest in tips that (if they are alone) they say the password out loud 3 times. (This also has the advantage of accomplishing repetition.)

For security reasons, passwords are usually masked. However, the visual representation of the password can create one extra association in memory and thus can make it easier to retrieve. Hiding the password as it is entered impairs encoding.

If possible, offer a checkbox that can be selected to designate to display the password as it is being typed.

Studies show that students learn quickly when they can visualize a concept and develop mental pictures of it. Even pretending to write words on a whiteboard (really writing in the air with a finger) helps students to visualize the order of letters in a word.

Upon password creation, or after the user forgets and needs to create a new password, suggest in tips that they write the password in the air, as if writing on a whiteboard.

Password Memorability Design

Organizations and individuals want to protect their online privacy and information, and thus usually have some respect for their passwords. If there is a high commitment level to the website or application, people will tolerate some of the difficulties the accompany them. But it is better to so save your organization and your users’ time, money, and frustration by helping them better encode their passwords so they can easily remember them later (even after a long vacation).

Learn more about human memory in our classes on User Interface Principles that Every Designer Must Know and The Human Mind and Usability.

References

Baddeley, A.D., & Hitch, G. (1974). Working memory. In G.H. Bower (Ed.), The psychology of learning and motivation: Advances in Research and Theory (Vol. 8, pp. 47–89). New York: Academic Press.

Miller, G. (1956). The magical number seven, plus or minus two: Some limits on our capacity for processing information. Psychological Review, 63, 81-97.