Webignition Web development and user experience improvement by Jon Cram « Webignition home page

Making Password Resets 60% Easier

I received an email from Crazy Egg (web site analytics software) telling me that although they no longer offer free accounts, I previously registered when free accounts were around and so could still use my free account.

This was nice, but my password was a mystery. So I went through the process of resetting it.

I may now do what? If you consider what information I have provided up until this point, you'll spot the flaw in the process.

1. I entered my email address in a form
2. I clicked a (uniquely-identifying) link in an email
3. I chose a new password

And now I can choose to log in. At this point, Crazy Egg know who I am (I entered my email address) and know I'm me (I clicked a uniquely-identifying link in an email sent to me) and know my password (I just chose it).

They know who I am, that I'm not lying about it, and what my password is. I couldn't have provided a more thorough proof that I'm me. Why can't I be logged in automatically at this point? It's not a trick question and I'm not, in this instance, being overly pedantic.

This serves as a good example of why it is essential to reduce the number of steps in any process to the absolute minimum whilst also asking the user for the absolute minimum.

Doing so makes it easier for the user (they'll like you more) and increases the chances of the process being fully completed and the user actually using your web site instead of, in this case, pondering over the usability of a password reset process and forgetting about everything else.

Let's review the process and consider how it could have been easier. What's the current process?

1. enter email address in password reset form
2. click link in email
3. choose new password
4. click log in link
5. enter email address
6. enter password (possibly involving returning to step 1 and starting again)
7. click login button

Seven steps and we finally get access to what we want. In practice, I never completed step four as I wasn't really that bothered anyway. Had there been no step four, I would have been in the service and might, having seen what it had to offer, been bothered. But it's too late now, I've lost interest. Web users are particularly fickle.

The good news is that we can get rid of step four, presenting the option of holding the interest of us fickle web users just that little bit longer.

1. enter email address in password reset form
2. click link in email
3. choose new password
4. click log in link
5. enter email address
6. enter password (possibly involving returning to step 1 and starting again)
7. click login button

Right after step 3, Crazy Egg knows all that is required to take me straight to my account. Resetting my password is a means to an end and all I really want is access to my account. I've done my bit, now do yours.

I never particularly enjoy resetting passwords. I don't explicitly not enjoy the process, but it's hardly engaging. I doubt anyone is thrilled by the act of resetting a password - it's just a required something that happens from time to time.

So when making Hosting Reborn, I spent some time thinking about how to reduce the password reset process to an absolute minimum by applying three simple concepts.

• reduce the number of process steps to the bare minimum
• reduce the amount of user input to the bare minimum
• assume as many defaults as is sensibly possible

We can reduce the amount of process steps by asking the user to do less and by doing as much as we can based on what the user has already told us. This means that after the user has identified themselves and chosen a new password, we should take them straight to their account because we can and because that's the whole point of resetting your password.

By applying some feasible defaults, we can reduce the amount of user input by 50%. I opted for choosing the user's new password for them. It's still to be seen whether this is the worst choice, but it's done.

What we end up with is the bare minimum password reset process which gets the user to their goal - their account - with the least hassle and as quickly as possible.

1. enter email address in password reset form
2. click link in email
3. confirm request to reset password

If you want to reset your Hosting Reborn password, you enter your email address, click a link in a subsequent email and confirm that you want to do it. That's it. Your in your account. Your new password is chosen for you and displayed so that you can make a note of it.

And since the process is fast and easy, you don't even have to bother yourself with remembering your password - resetting your password for a service you use infrequently is easier than having to remember a suitably-secure password. Having to remember nothing is very easy.

The password reset process for Hosting Reborn uses 60% fewer steps than Crazy Egg. That's not bad.

Of course, this might not be for you. Perhaps you have to let users pick their own password. You'd still have around a 40% process step reduction which is still excellent.

Just remember to reduce everything to a bare minimum - leave no process step that could possibly be removed, ask the user for nothing that could feasibly be assumed or for which a sensible default could be applied.

Clearly this doesn't apply to password resets only. Do this everywhere you can. Ask the user for as little as possible as do as much as you can with that. And then do a little more.