My team has developed 20+ scoring metrics to rate the strength of passwords. How can I design the meter to make this vast amount of information most useful to anyone making a password?
After 6 months of research and iteration, I developed a path that gives general feedback tips based on the typed password but also offers tailored suggestions to improve the password. Most importantly, the feedback aims to
Leading UX Research
Because I joined an ongoing project, I first had to familiarize myself with research in the area and understand the existing functionality of the meter. The original meter had not been designed for end users at all yet.
I brainstormed a variety of potential structures for our feedback process and created 11 sketches and a set of interview questions. I led two other teammates in conducting think-aloud and interviews with 6 users of various backgrounds and demographics. Note: we avoided relying on Carnegie Mellon students specifically, as they tend tend to be quite computer savvy.
Users reuse passwords; they often make variations of "base" passwords to meet requirements of different sites.
Users prioritize different accounts based on how much they value the importance of the accounts. For example, sites with information relating to money or ID tend to be valued more than social media accounts which are valued more than "throwaway" accounts that require passwords to access content.
Users never click "Learn More."
Users find that too deep of a password breakdown can be "creepy," but they like custom suggestions.
People want strong passwords that are also easy to remember. How can we balance these conflicting needs?
Businesses want their users to have the most secure passwords possible to avoid situations where data is stolen. Who should determine when passwords are strong enough for a given site?
How can we improve password-making behavior on other sites that don't use our scoring system?
Next, I iterated on ideas we drew from the initial research in slightly higher fidelity mockups. This allowed for a more natural clickthrough of the meter. I focused on incorporating intelligent, progressive suggestions and two "levels" of help for the user. We also went (and still are going) through text variations for communicating our tips and more specific feedback to the users. The biggest challenge is that people want their passwords to be
This was my first project using HTML5/CSS/JS, so I started early on prototyping in code. The meter is still a work in progress, but the process we've created first provides tips based on the user's password that do not give away any sensitive information to potential "shoulder surfers." They are provided with a "Help Me" button of sorts that asks to display their password in order to help make their password more secure. Then, our meter calls out the specific parts of the password that are weak, explains why, and gives a suggestion of how to fix it. For example, the public/private text outputs might be something like this:
The password meter will be customizable for any site to implement, so my visual designs have been left intentionally open. When we reach a working version of the prototype, we will build a wizard to allow for customization. We will also be conducting focus groups and a large-scale online study with Amazon Mechanical Turk to finalize our design before we release the CUPS meter as open-source code.