How Password Policy Affects Signups


I’m looking for a study or a research on how password policy affects signups. I’m sure there must be something available, but I’m unable to find it.

So one of my client wants me to implement a password policy. You know, your password must contain a special character, one upper case, lower case types. He is being very full on about it.

I recommended suggesting the password strength (like how Google does) instead of a hard and strong password rule, but it would be nice to cite some studies.


Is this article of any use? The True Cost of Unusable Password Policies: Password Use in the Wild

As an aside, I find password policies today infuriating but can see why people choose to use them. Interestingly the article above states that people use insecure passwords as a result, which totally defeats the purpose. I deal with it personally by using 1Password. Problem solved!


I feel compelled to offer up this little gem from xkcd…


Ive found using the strength indicator type system can be an opportunity to add a little positivity or personality to what might be a mundane process.

Instead of ‘weak, medium, strong’ feedback messaging, you could consider using ‘pretty good, great!, nice job!’ etc ', or whatever is appropriate for your audience



Although password strength suggestions are welcome, maybe you should consider a more visionary approach and forget about passwords altogether, going for a different flow. Here’s an article about that:


Beat me to it.