CUPS Password Meter

UX Research Lead / Front-End Developer (August 2015 - August 2016)

Best Paper Award at CHI 2017

Independent Study/Work with Blase Ur, Ph.D Candidate
Carnegie Mellon University School of Computer Science CyLab Usable Privacy and Security (CUPS) Laboratory

An improved password strength meter to teach users how to make better passwords

Problem

My team has developed 20+ scoring metrics to rate the strength of passwords. How can I design the meter to make this vast amount of information most useful to anyone making a password?

Solution

After 6 months of research and iteration, I developed a path that gives general feedback tips based on the typed password but also offers tailored suggestions to improve the password. Most importantly, the feedback aims to teach the user what makes a weak/strong password so they will make better passwords in the future. We tested this improved meter with 4,509 online participants and published the results in a paper at CHI 2017.

Skills

Leading UX Research

Front-end Development

User Interviews

Iterative Prototyping


Process

Because I joined an ongoing project, I first had to familiarize myself with research in the area and understand the existing functionality of the meter. The original meter had not been designed for end users at all yet.

Think Alouds + Interviews

I brainstormed a variety of potential structures for our feedback process and created 11 sketches and a set of interview questions. I led two other teammates in conducting think-aloud and interviews with 6 users of various backgrounds and demographics. Note: we avoided relying on Carnegie Mellon students specifically, as they tend tend to be quite computer savvy.




Insights

Users reuse passwords; they often make variations of "base" passwords to meet requirements of different sites.

Users prioritize different accounts based on how much they value the importance of the accounts. For example, sites with information relating to money or ID tend to be valued more than social media accounts which are valued more than "throwaway" accounts that require passwords to access content.

Users never click "Learn More."

Users find that too deep of a password breakdown can be "creepy," but they like custom suggestions.

Design Challenges

People want strong passwords that are also easy to remember. How can we balance these conflicting needs?

Businesses want their users to have the most secure passwords possible to avoid situtations where data is stolen. Who should determine when passwords are strong enough for a given site?

How can we improve password-making behavior on other sites that don't use our scoring system?

Rapid Iterative Prototyping

Next, I iterated on ideas we drew from the initial research in slightly higher fidelity mockups. This allowed for a more natural clickthrough of the meter. I focused on incorporating intelligent, progressive suggestions and two "levels" of help for the user. We also went (and still are going) through text variations for communicating our tips and more specific feedback to the users. The biggest challenge is that people want their passwords to be very strong and easy to memorize, but they avoid spending time and effort to improve their security.



Front-End Development

This was my first project using HTML5/CSS/JS, so I started early on prototyping in code. The meter is still a work in progress, but the process we've created first provides tips based on the user's password that do not give away any sensitive information to potential "shoulder surfers." They are provided with a "Help Me" button of sorts that asks to display their password in order to help make their password more secure. Then, our meter calls out the specific parts of the password that are weak, explains why, and gives a suggestion of how to fix it. For example, the public/private text outputs might be something like this:

Password: Stargirl8#

Public Text: The placement of capital letters in your password is predictable.

Private Text: 32% of people also capitalize only the first letter. Try changing which letters are capitalized like "stArGIrl8#"

The password meter will be customizable for any site to implement, so my visual designs have been left intentionally open. When we reach a working version of the prototype, we will build a wizard to allow for customization. We will also be conducting focus groups and a large-scale online study with Amazon Mechanical Turk to finalize our design before we release the CUPS meter as open-source code.

felicia.alfieri@gmail.com | linkedin.com/in/feliciaalfieri