This past week, SplashData, an internet password management company, released its annual list of the “worst” passwords of the year. The results range from the perennial favorites (password) to the sarcastic (trustno1), from the product specific (photoshop) to the downright whimsical (monkey). The frequent internet user can immediately recognize one thing about these passwords: the vast majority do not conform to almost any security criteria (#16 is simply “1234”).
While data security advocates recommend always using complex passwords that are not shared between accounts, many internet users are clearly ignoring them and web developers are letting them get away with it.
That begs the question: Why are both of these parties ignoring common data security advice? The answer may be explained using the UX concept of the mental model. In user experience research, we work to understand how a user intends to use a product or service and then recommend that developers either meet those expectations or provide users with a convincing explanation of why they have not.
In the case of passwords, it is relevant to the UX researcher that both users and developers are ignoring this safety advice. It implies that users do not want or need a complex experience with their passwords, and the developers know it. The motivations could be obvious. Some websites, such as free music streaming services, may not carry much risk to users if their accounts are breached. With others, like small ecommerce sites, it is important that they be memorable because users may only log into them sporadically. Still with others, like media distribution services, users may prefer passwords that are easy to share with friends (see number 14, “letmein”) and the company may not really mind (think of multiple profiles available on Netflix).
With these subtle motivations behind the password structure in mind, Splashdata’s list may be more appropriately described as “passwords to accounts people aren’t too concerned about protecting.” While this is a decidedly less enticing headline, for the thoughtful developer it might be more poignant food for thought. This list brings to light how important it is to understand the mental model your audience brings to the experience, even with something as standard as passwords.