Password validation



I have a situation where we have quite a strict password policy, and I’m wondering the best way to display the policy and validation.

It’s quite a simple form with just name, email, d.o.b, and password.

The password criteria is: must be over x characters, must contain a number, must contain special character, must not be on a list of common passwords (thousands long), must not be close to their other details

I want to display this at all times so they know what they are battling against, but I also need to make it clear if they don’t hit one or multiple of the criteria. And it needs to be accessible!

Any ideas?


I believe that the complex password criteria should be displayed only once the user clicks on the password field. If you show all the criteria by default, it may deter him from filling even the simple form. Once he has typed in the name, email and d.ob. he has already invested time and is committed to it, then he would be more likely to fill in the password even with the strict password policy.

Check the below method used by Godaddy which shows the criteria once the user clicks on the password field and nicely shows which criteria you have covered.


I agree with nalindeabrew, show the contextual help only on focus and continously give feedback about meeting a criteria or not.

Two things I´d adapt are the checkboxes which don´t make sense in that case because they have the affordance to be clickable. Additionally I think it should be possible to resolve the issue with less text/character. Here you have too much content to be read in order to understand what is required to do.

Another idea would also be to check twice if this level of security is really necessary and if yes to include a kind of contextual information on hover why you chose to request that strict password policy.


Yep that is true, checkboxes would confuse users. A simple tick would be better

I think you highlighted the most important part, and where everyone should start from when working on a design like this.


hi @jacquidow

if I understood well we are talking about a subscription form.
I guess that the most important business KPI is to collect, despite the security policy, as many user subscriptions as possible.

I would focus on the cognitive overload rather than on the UI.
I’m just thinking loud:

  1. provide a random default password, delivered by the system that fits the security policy
  2. in the confirmation email, that will be sent to the new user, you could explain how to change the password accordingly the security policy (it would be great to explain why the company choose such complex password)

I believe that with this approach you are going:

  1. to decrease the cognitive overload for the user. She/he doesn’t have to think about such complex password, a way different from her/his dog name
  2. to increase the task success rate. Basically, I believe, this is a “dummy proof” method, the only error I can imagine is the “existing user”
  3. to increase the learning curve. She/he will be able to learn how to provide a proper password to your system without experiencing the frustration of a server validation during the subscription process

What do u think?


We have discussed reducing the criteria unfortunately it is a financial product so we are held to what the banks tell us to do.

Thank you, this is very similar to the approach that we have finally gone for :slight_smile:

Thanks for all your help everyone!


this is interesting!
I don’t know any Fintech product (at least in Italy, Germany and Switzerland) that allows users to choose a password to access the system (it does no matter if is a product and/or a tool).

Of course, I don’t know any Fintech products that send sensible data (like passwords) via email, so my suggestion can not be applied.


It’s hard for me to explain, but this is the product it’s a pre-paid debit card for children that the parents manage through a website/app. The kids can also access their own website/app.


From UX point of view, it looks very challenging and exciting.

From adult/parent point of view, it sounds quite scary/dangerous.
Just thinking an 8YO kid with a pre-paid card/app.

I would never allow a kid of that age to have (by herself/himself) a connected device too.
It’s my opinion of course.

Good luck with your project!


There are quite a few of the type out there - go henry, osper, nimbl

Because the parents have full control over the money on the cards and the spending they’re very popular, and the cards can easily be blocked and temporarily locked if need be from the app by both the child and the parent. It would be a lot easier for a child to lose or be bullied for cash. There are also strict controls in place around where the cards can be used, and what they can be used to purchase.


Fair enough, but still, I don’t see any added value in giving access to payment method to an 8-10 YO child.
I mean, as a parent, I will never use such product.
Maybe I’m “old style” but I see a bunch of dark and blurry areas in the millennia digital behaviours.

I hope we are not going off topic because my comments :slight_smile:


Been there, and its a pain