It’s become widely accepted that password rules are now too restrictive. As the joke goes, some sites require an uppercase letter, a lower case letter, a number, a special character, and the blood of a vegan cat.


Strict passwords cause abandonments

According to Baymard’s large scale checkout usability, “strict password rules can cause a 18.75% checkout abandonment rate among existing account users as they try to sign in.

The real problem arises when trying to sign in. If people get forced to create a more complex password and can’t use the one they generally use, they’re going to have difficulties remembering that new password. 

This is because only 35% of people create a new password for every user account. Another 13% reuse the same password across every single one of their accounts. 

The remaining 52% have a set of passwords that they reuse across different accounts. Tier 1 is usually the bank password which can also be reused on high security sites like Paypal and maybe Google. Then is a Tier 2 password and even Tiers 3 and 4 for sites with less personal sensitive data. 

Shoppers don’t generally consider online stores to be Tier 1 sites so preventing them from using their preferred password will not win you any fans. This might lead to abandonment, especially if they need to reset their password via email.


Minimum 5-6 characters

A low password requirement could for example be to set it to having a minimum of five or six lowercase characters though you can still encourage them to use a more secure password.

If you lower the requirements, you should compensate for the lower security by:


Clearly state the requirements

I also recommend you clearly mention the password requirements next to or below the password field.