3
3 Comments

Are password complexity requirements more trouble than they're worth?

As SaaS builders, we want to get potential customers into our apps and realizing value as quickly and with the least friction possible.

As SaaS customers, we want to be able to use the passwords we want, whether they're an XKCD-style scheme, a generated password from a password manager, or the name of our imaginary friend in the 3rd grade.

One of the barriers to this is excessively complex password requirements that cause potential customers to spend extra thought and time in creating a password - especially if your requirements are not outlined up front.

There's a tradeoff between on-boarding speed and security, though, as one of your customer's accounts being compromised is not a good look for your company, even if it ends up being the customer's fault. And, of course, complexity requirements matter more if the SaaS deals with sensitive data, such as health or money.

There are a number of ways to help smooth the process. Utilizing social logins removes the issue entirely, but some potential customers may be reluctant to connect their social identities to you product, especially if they're not sure of your product's value.

Listing the complexity requirements up front, and checking them off as they are fulfilled gives the customer confidence that they're not going to end up in a submit-cycle of having to do one more thing, over and over.

So, Builders and Users - what do you think is the appropriate level of password complexity? I'd love to hear about what you've chosen to do in your product and why!

Please vote on how many rules you think is the right balance between security and on-boarding speed.

Example Rules:

  • Require minimum length
  • Require numbers
  • Require special character
  • Require uppercase letters
  • Require lowercase letters
What is the right number of complexity rules for a Saas password?
  1. 0
  2. 1
  3. 2
  4. 3
  5. 4
  6. 5+
Vote
  1. 2

    There's only one right answer, and that is no passwords. If you are providing SaaS than that means you need OIDC SSO login using the user's preferred or business' preferred federated login provider. There is just no reason to require or even allow entering passwords.

    It is always wrong, so stop that.

    Then the question becomes what's the best way to integrate customer's list of login providers in a secure way. And while there are lots solutions, the only very few that focus on this as a core solution, auth comparison guide.

  2. 1

    For the least friction, we should not rely on passwords. If suitable for your audience, opting for password-free authentication is better option.

    You can choose any method like Email Link Login, Email OTP, Phone OTP, SSO, Biometrics . You can read more about why leaving password behind is good for businesses - https://mojoauth.com/blog/why-are-businesses-still-using-passwords/

  3. 0

    You're over thinking this. If you don't have any customers, focus on that. if you're dropping too many customers at the signup form, did an A/B test show it's complex password requirement that's the problem? If not, stop thinking about this.

Trending on Indie Hackers
How I grew a side project to 100k Unique Visitors in 7 days with 0 audience 49 comments Competing with Product Hunt: a month later 33 comments Why do you hate marketing? 29 comments My Top 20 Free Tools That I Use Everyday as an Indie Hacker 18 comments $15k revenues in <4 months as a solopreneur 14 comments Use Your Product 13 comments