Heartbleed – how easy is it to change your passwords?

April 10, 2014 3:48 pm

Heartbleed – how easy is it to change your passwords?



In the light of the Heartbleed security discovery, thousands of people will be following advice to change their passwords on their favourite sites. However, while this may seem like a simple exercise, even some of the big names in social media and ecommerce make this standard user journey overly complicated.

Looking at seven of the websites identified as potential targets for the breach, we looked at how easy (or otherwise) the process of changing a password would be. The sites we focussed on were: Facebook, Yahoo!, Twitter, Google, Tumblr, eBay and Dropbox.

What we found overall was that sites made it difficult to understand how to get into account details, often as a result of using ambiguous icons. Sites also did not prioritise the password details from within account settings, and as a result it was difficult to find where to change the password amongst various other account options.

Facebook – Number of clicks to access: 3

image001
Facebook falls down at the first hurdle, with an array of unclear icons, making it difficult for users to understand how to access their account settings.

image002

However once the users have made it in their account settings, the ‘Edit’ option for the password details is clearly visible immediately on the page.

Overall findability score: 9/10 – Despite not being initially obvious which icons to select, once the user has found their account settings, they can see straightaway where to change their password.

[border ]

Yahoo! – Number of clicks to access: 5

image003 image005

image004

After clicking ‘Account settings’ from the Yahoo! homepage, users are taken to the Yahoo! profile landing page, rather than to their account details.

image006

After clicking another ‘Account info’ link, and being prompted to sign in again, users are finally taken to a page where they can find a link to change their password, hidden amongst other account options.

Overall findability score: 2/10 – The journey to arrive at the account details page is far too complex, and may cause users to become lost along the way. Once users have accessed their account, change password is available on the page, but is still not clear or prioritised.

[border ]

Twitter – Number of clicks to access: 3

image007

While it is not initially clear which of the icons or options along the top relates to the users’ account, the use of the cog wheel icon implies that this is where the user can access settings or account details.

image008

Upon arriving at the account settings page, the ‘Password’ option is clearly available from the left hand navigation, making it easy for users to quickly scan and find this option.

Overall findability score: 9/10 – While there is a little ambiguity in how to access account settings, users are able to quickly select the ‘Password’ option from the left hand navigation.

[border ]

Google – Number of clicks to access: 4

image009

Due to the distinction between Google+ and Gmail, as well as the inclusion of the ambiguous grid and bell icons, users may struggle to understand that they need to select their account profile image to access their global account settings.

image010

Upon arriving at the account details page, the password information is hidden under the ‘Security’ tab at the top of the page, which is difficult to see at first glance. Additionally, the wording of ‘Security’ is not clear enough for users looking to change their password details.

Overall findability score: 4/10 – The ambiguity of how to access account settings form the homepage, in addition to hiding the option under the ambiguously named ‘security’ tab makes it difficult for users to navigate to change a password.

[border ]

Tumblr – Number of clicks to access: 3

image011

Users are presented with a number of icons on the Tumblr homepage, and it is not initially clear how users might be able to access their account. However, Tumblr has included a cog wheel icon, often understood to mean ‘settings’.

image012

After clicking the cog wheel icon, users must then click on ‘Account’ at the right hand side of the page. This option is not immediately clear – and subtitled unhelpfully with ‘The essentials’. Upon clicking ‘Account’, the password field is able to be changed by clicking the pencil icon.

Overall findability score: 4/10 – Over reliance on icons makes it less clear where the user needs to click to access their account. In addition, the change password option is under a separate heading of ‘account’ after arriving on the settings page.

[border ]

eBay – Number of clicks to access: 3

image013

Upon arriving on eBay, it is relatively clear to click on the ‘Hi [username]’ option in the top left to open up account options. From here, the ‘Account settings’ option is self-explanatory.

image014

After arriving on the ‘My account’ page, it is not clear where users need to click.

The ‘Personal information’ option on the right hand side takes users to the option to change their password.

Overall findability score: 6/10 – While it is very easy to understand how to access account details, the ‘Personal information’ option is not worded clearly to indicate that users can change vital information relating to their account.

[border ]

Dropbox – Number of clicks to access: 4

image015

From the main page on Dropbox, it is clearly indicated with an arrow that users need to click on the username in the top right to access options relating to the user account.

image016

From the ‘Settings’ page, users must click into the ‘Security’ tab in order to access their password information. The wording of this option is straightforward, however users may be unsure which of the three tabs – ‘Profile’, ‘Account’ or ‘Security’ – they will find password information.

Overall findability score: 7/10 – Although it is very easy to get onto the ‘Settings’ page for an account, it is less clear which of the tabs on the page will allow the user to change their password, due to the general wording of the ‘Account’ and ‘Security’ tabs.

[border ]

Conclusion

While the simple act of changing your password is a common objective for users, this analysis highlights that this is made needlessly complicated on a number of popular sites.

Of the sites we analysed, Facebook and Twitter came out on top, each scoring 9/10 for ease of changing a password. The worst sites in this review were Yahoo!, scoring only 2/10, and Google and Tumblr, who tied with 4/10.

Common pitfalls on the sites included over-reliance on icons which are ambiguous and do not help users understand how to access their account settings. Additionally, most sites failed to prioritise the ‘Change password’ feature within the account settings, meaning users must hunt to find this option amongst other, less important choices.

[table color=”white” ]

# Clicks to change password screen Overall findability score
Facebook 3 9/10
Twitter 3 9/10
Dropbox 4 7/10
eBay 3 6/10
Google 4 4/10
Tumblr 3 4/10
Yahoo! 5 2/10

[/table]