Beta This is new guidance. Complete our quick 5-question survey to help us improve it.

This guide explains how to help users create memorable and secure passwords.

Meeting the Digital Service Standard

To pass point 13 (make the user experience consistent with GOV.UK) in your service assessments, you must use GOV.UK design patterns and guidance.

Read the guide on using, adapting and creating patterns before you start designing or building anything.

Set the right password constraints

Overly strict or confusing constraints can make it harder for people to create memorable passwords.

This could mean they:

  • stop using your service
  • forget their password and have to reset it
  • store their password in a non-secure place

Choose constraints that meet the security needs of your service. If you need additional security, add a second authentication factor rather than extra password constraints.

Make sure you:

  • set a minimum length of at least 8 characters
  • don’t set a maximum length
  • explain the constraints to users
  • use a blacklist of commonly used passwords

Password strength indicators

Some services use password strength indicators to encourage users to create secure passwords. There isn’t enough evidence from research to confirm they have the intended effect.

Don’t make users keep changing their passwords

Some services force users to change their passwords periodically, for example every month.

You shouldn’t do this because it means users:

  • are more likely to forget their passwords
  • will tend to pick simple variations on their previous password
  • are more likely to store their password in a non-secure place

You should force a password change if you suspect an account is compromised.

Incorrect login attempts

If a user enters their account details incorrectly, don’t reveal whether they got the username or password wrong

Revealing the source of the error can help fraudsters break into people’s accounts.

Give users at least 10 attempts to get their password correct before you lock their account or do any further security checks.

Hide passwords by default

Users might be in a public space when entering or creating a password, so you should hide passwords by default.

To help users meet your password constraints and prevent mistyped passwords, you can:

  • let them see their password if they want to
  • show the last typed character of their password
  • make them enter their password twice and automatically compare them

Allow users to paste their password

Don’t disable paste on password fields. People may have very good reasons why they want to paste their password, for example if they’re using a password manager.

Helping users who forget their password

Passwords that are hard to guess can also be hard to remember.

When helping users who’ve forgotten their password, you should:

  • send them a link or code to trigger a password reset
  • avoid password reset questions
  • avoid password reminders

You should never send passwords by email because it’s not a secure channel.

Instead, send users a time-limited password-reset link or code to the email address or phone number that they registered with.

Always message the user when a password reset has happened, in case it was triggered by someone else trying to get into their account.

Avoid password reset questions

You shouldn’t use password reset questions because they often ask for information that’s

  • too obscure and therefore just as hard to remember as a password
  • too easy for someone else to find out (for example ‘mother’s maiden name’)
  • subject to change (for example ‘favourite colour’)

Avoid password reminders

You shouldn’t use password reminders because they:

  • encourage users to reveal information about their password
  • don’t work for very strong passwords involving random strings of characters

Discuss passwords

Discuss asking users to create passwords on the design patterns wiki.

Further reading

Read the National Cyber Security Centre’s guidance on passwords.

You may also find these guides useful:

Published by:
Design community
Last update:

Guidance first published