Small UX Tip: Show Password Requirements at Login, not just when Registering
By Daniel Huigens on Saturday, June 27 2015
Airborn OS is a secure alternative to Google Docs.
In an ideal world, everyone would use a password manager and unique passwords on every website. But in reality, many people use the same password on many websites. Let's take one user as an example. His name is Marc. Marc uses the same password of 10 characters on every website. However, when registering for your website, he gets an error: "Password has to be at least 12 characters long." (This is a good idea, in my opinion.) Marc is annoyed, but he spends half a minute to think of something to add to his password.
Now he is successfully registered. However, next time he wants to login, he'll probably try his normal password of 10 characters. "Password incorrect", he gets. He doesn't remember why or what his different password is, so he clicks "Forgot password." This gives him a link that asks him to fill out a new password. He enters his normal password. "Password has to be at least 12 characters long." Oh, right, he thinks, I probably added something to my password. Maybe it was … . He fills out his password on your website. Now, to add insult to injury, your website might say "Can't use the same password."
Seeing the "Password has to be at least 12 characters long" message put him in the thought process he was in when he created the password. That's a good way to remember it. If he'd gotten that message earlier, at login, it might've saved him some of the steps above.
Of course, this gets tricky to implement if your password requirements have ever changed or if you want to change them later. You would either have to remember their password requirements in a database in some way, or you'd have to require that everyone whose password does not fulfill the new requirements change it. The former gets especially tricky when you use a library that calculates the strength of a password. The latter is also tricky, because you only know they didn't meet the requirements after they've logged in, which is what you're trying to help them do.
Two mobile applications I know of that get this right: my HTC tells me, when I accidentally try to unlock with a three number passcode, that four numbers are required (admittedly a bit silly because I already know that, but some people might not) and the ING Bank app has 5 squares in which the numbers of my passcode go.
If you want to help implement this and other improvements in Airborn OS, take a look at the registration code on GitHub.