views:

53

answers:

2

I was wondering what the "standard" usage rate of the "forgot my password" flow is on other ecommerce/industry websites? Right now not that many people go through the "forgot my password" link on my website, but that's mainly because most people don't have passwords. I'm in the process of installing a new login (which will encourage people to create passwords), so I anticipate that the number of people who go through the "forgot my password" link will go up, but I don't have any real baseline to compare it against.

So does anybody know what the typical percentage of users executing the "forgotten password" flow is?

A typical user will probably be prompted to log in once every four weeks. Our password requirements are currently minimal.

A: 

This should probably be on the pro webmaster version of stack overflow.

However, I think it depends primarially on website content and user base. If your site is the sort where you login once every few months, then you will probably have a higher proportion of people using the forgotten link.

If it's one people login to every day, like facebook, the % will probably be a lot lower.

It's also going to depend on your password policies. If you require non alpha-numeric digits then your going to have a lot more requests.

It shouldn't really matter what % of people use it, as long as the logic behind it is secure and doesn't allow for exploitation.

Tom Gullen
A: 

I don't think these numbers are available as they are dependent on many different factors:

  • How often do the users access the service?
  • Are logins stored in a cookie, if so, for how long?
  • Are there any restrictions on the password such as minimum length?
  • What are the drawbacks of creating a new account (any loss of information or just the name?)
  • Is it a service that typically needs to be accessed from multiple machines

... are a few parameters that come to mind.

Tomas
Some parameters to my question, then:Users may access the service every day, or may not access it for a month (or so) at a time. The user will be prompted to login again after four weeks of inactivity.Right now there are no restrictions on the password (it can be a single character), but we're working on making our restrictions more strict. Someone who started a new account would need to input a new username and their shipping, etc. information.