Password Strength Tester

Beyond passwords: Educating users on the power of passphrases

Many people are at risk of having their data breached because they use the same insecure, easy-to-crack password for a majority of their online accounts, including social media, banking, and other platforms that retain a lot of personal information.

This case study outlines my team’s design and development of an intuitive Password Strength Tester as a microservice. The tool’s core purpose was to educate users on the security risks of traditional passwords and show them that an easy-to-remember passphrase is a far more secure option, thereby improving user security and satisfaction.

The challenge & the solution

The primary challenge was transforming a generic, binary “strong/weak” password field into a dynamic, educational tool. My team’s research highlighted we needed to provide a solution for users struggling to create a secure password. The goal was to provide users with immediate, actionable feedback after they entered a password and tapped or clicked the “Check” button. The solution was a visual, real-time strength meter that broke down security requirements (e.g., lowercase letters, numbers, special characters) and rewarded progress with clear, celebratory visuals. This approach made password creation feel more like a mini-game and less like a chore.

The tool’s functionality was built to not only test password strength but to also check if a user’s password has been compromised in a known data breach. To achieve this, it uses Troy Hunt’s Pwned Passwords API, a crucial feature for protecting user accounts.

This image demonstrates a commonly used, very weak password being analysed by the Password Strength Tester, highlighting the need for a stronger passphrase.
A passphrase built from random, unrelated words earns a top rating from the Password Strength Tester, demonstrating the power of length and complexity over simple passwords.

We also designed a Passphrase Generator to provide a better, more secure alternative. This feature allows users to generate easy-to-remember, strong passphrases that would take centuries to crack, further improving user security and reducing cognitive load.

A microservice that creates easy-to-remember, highly secure passphrases with multiple word and separator options.

Project details

  • Project: Password Strength Tester
  • Role: Design Manager / Developer
  • Timeline: Launched on World Password Day, Thursday 2, May 2024
  • Key Stats: In its first 12 months, the product was used to test over 100,000 passwords.

Key responsibilities & impact

As the Design Lead and Developer on this project, I guided my team in the research and design of a solution for weak passwords. My team created a functional prototype, which I then elaborated on to create a fully functioning password tester. I was responsible for the end-to-end process, from initial concept and user experience design to full front-end implementation.

  • User-centric design: We focused on designing a system that would not only check for strength but actively teach the user about password best practices in real time.
  • Prototyping & development: My team developed a functional prototype that demonstrated the real-time feedback loop, allowing for rapid iteration and stakeholder buy-in. We then built the final product as a self-contained, reusable component.
  • Strategic integration: This was a high-value, low-effort project. We designed it to be easily integrated into any new or existing Service Victoria product, creating a consistent and secure experience across the entire platform.

Results & success metrics

The impact of the Password Strength Tester was immediately clear, validating the project’s user-centric approach and strategic value.

  • Broad adoption: In its first 12 months, the product was used to test over 100,000 passwords, demonstrating its widespread adoption and utility across the Service Victoria platform. This was highlighted when the South Australia Police independently adopted the tool, using it at a stand at the Royal Adelaide Show to proactively help citizens enhance their digital security.
  • Enhanced security: By proactively guiding users to create stronger passwords and check for known compromises, the tool significantly improved account security.
  • Privacy by design: It is important to note that this product does not store, share, or link any tested passwords to Service Victoria accounts. The tool is a standalone educational product used solely to help users understand and improve their password security.

Navigating constant change: The challenges faced

While a seemingly small project, the Password Strength Tester came with a few key challenges:

  • Security & compliance: The biggest challenge was ensuring the logic was secure and did not compromise user data. All password checks had to be performed client-side and in real-time without ever transmitting the password. This required careful architectural decisions to ensure compliance with privacy and security standards.
  • Clarity over complexity: It was a constant balancing act between providing enough detail to be educational without cluttering the user interface. We had to distill complex security rules into simple, clear instructions that any user could understand.

Lessons learned

Designing this microservice taught me valuable lessons about the power of simplicity and the importance of proactive design. Our ultimate goal was to roll out the Password Strength Tester and Passphrase Generator to the Service Victoria account creation flow. This would allow new users to immediately see the strength of their password choices and, if needed, use the generator to create an easy-to-remember, highly secure passphrase. This strategic integration would have been a significant step toward making the user journey more secure and effortless from the very first interaction with the Service Victoria platform.

Conclusion

The Password Strength Tester project is a testament to the idea that small design solutions can have a significant impact. We directly addressed the real-world problem of online users being at risk of data breaches due to insecure, reused passwords. This project not only enhanced security but also served as a valuable educational tool, demonstrating the power of human-centred design.

Visit Password Strength Tester ↗

← Back to Work

Next case study →