The password you gave me didn't work! How to reliably send a user their password

Terry WoodsWeb Developer, specialising in WordPress
CERTIFIED EXPERT
IT consultant and specialist in WordPress website management
Published:
Updated:
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.

Background


I’ve worked with many different systems that require authentication. Some systems (especially the most secure ones) automatically email out login details or a one-use link to a user rather than requiring an administrator to provide them to the user, but it’s still common for details to need to be sent manually. I’ve seen numerous reasons for users to fail to do the right thing to get into the system, so I’m sharing my experience with you to save you and your users' time and frustration.
 

The Problem


Here are some common reasons why users can’t get in, even when they have the right login id and password provided:
  1. The user selects, then copies and pastes the userid and/or password, and mistakenly adds a space character to the end, or misses a character from one end. This is more likely to affect the password, as the value pasted into a password field is usually hidden by ***** characters or similar.
  2. The user types in the login id and/or password, and makes a typo, whether it be a wrong letter, missing letter, or wrong case. This is particularly a problem when a character for the font used looks like a different character. For example, a lower case L and upper case i look largely identical in some fonts, and an upper case o looks quite like a zero.
  3. Microsoft Outlook (and maybe other software too) by default automatically capitalizes the first letter of words that it thinks are at the start of a sentence, and the user was sent a login id or password with the wrong case.
  4. The user tries to log in to the wrong system. This can be a security risk too as they may be supplying their password to some unknown 3rd party!
  5. The user has been locked out for too many login attempts.
 

The Solution

 

  1. Passwords are commonly long or difficult to type, so encourage users to copy and paste their passwords into the login fields where possible. This avoids mistyping and misinterpreting of characters.
  2. When sending passwords by email, put the login id and the password each on their own line, so that no space characters appear before or after it, and reduces the chance of copy and paste errors. See the example below.
  3. If a system allows it, create passwords without special characters. This helps with copying and pasting as a double click on a word made up of only letters and numbers will automatically select it. To ensure the password is still secure, just make sure it's long*.
  4. Ensure the first character of the login id and password is a number or upper case, or alternatively ensure that the first character hasn’t been converted to upper case by your email software, as typically happens in Microsoft Outlook.
  5. Provide instructions on where to login (preferably the URL if on a website).
  6. To prevent users coming straight back to you if their password doesn’t work, tell them about any Forgot Password or Reset Password features they can use if they need to. They may need to know the email address used for the user account if it’s not obvious.
  7. If you want to be extra helpful, give the user some guidance on how best to store or remember their password. This will differ depending on the situation. You could even give some instructions on copying and pasting if the user may not know how to do it.
  8. If a password can’t reasonably be copied and pasted (how many people know how to copy and paste on a smartphone? I’d guess less than half), creating a friendlier password can be helpful. Lower case dictionary words are simple for most people to enter more easily, but to keep secure it’s best to append several unrelated words such as “correcthorsebatterystaple” as suggested in this clever cartoon on password security.
 

An example email (you can use this as a template):


Dear Joe,

Your login for Acme Software Ltd has been created with the following details:
Login id:
JoeBlogs

Password:
4DbgFAb25jVBfqGjHGRJaX9T


You can login with these details to the Acme website at https://www.example.com/login

The user account is linked to your email address joe@example.com

We recommend copying and pasting your password into the password field on the website to avoid typing errors. If you do have any trouble logging in, you can reset your password at https://www.example.com/forgot-password using your email address or login id.

Regards,
Acme Software Ltd

 

A Note About Security


Password security is a big topic, and this article isn't intended to fully cover it, but the following is important to mention:

It’s actually better not to send passwords by email at all, especially when the login id is included in the email along with the password. Best practice is probably to give the user a one-off link that allows them to set their own password on a website, and additionally to use two-factor authentication (such as through Authy or Google Authenticator) so that a mobile phone or other item is required as well as a password in order to log in.

Many people still use unencrypted email settings such that email can theoretically be intercepted by the mostly anonymous computers in the internet that transmit the email on its way to its destination.

However, many user logins are not used for critical information, so in those cases there’s unlikely to be any significant problems if an email was intercepted or got into the wrong hands. In those cases, sending the details by email is no problem.

Well written authentication systems anticipate attacks from every possible angle and close every hole that can be reasonably closed. For example brute force attacks can be prevented by limiting the number of login attempts and asking for additional details like a birth date when suspicious login activity is detected. In my experience, Google leads the way here.

* When I said a password should be long, this really depends on the system it's used to log in to. If a system has top notch protection from brute force attacks or especially if it has two factor authentication then even a relatively short password is probably fine. If not, and you copy and paste the password when you log in anyway or save it to your browser or password manager, then I would recommend using a 20+ character long password without special characters such as shown in the example above. After all, it's just as easy to copy and paste as a shorter one.
1
1,605 Views
Terry WoodsWeb Developer, specialising in WordPress
CERTIFIED EXPERT
IT consultant and specialist in WordPress website management

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.