This past weekend I tackled a long overdue task: Changing all of my old and not-so-secure passwords. (What can I say… These are exciting times.) Even though change password functionality has been around since the dawn of the Web and is a cornerstone of account security, I was shocked at just how many sites made it difficult for me to accomplish this important and seemingly simple task.

Here are five tips for making sure your customers don’t pull their hair out when they change their passwords, each taken from my own real-life hair-pulling experiences:

1. Make the “change password” link easy to find in the account section. I really wish I didn’t have to say this, but it’s almost like some sites made a game of hiding this functionality. And believe it or not, some sites don’t even have it at all! I’m looking at you, United Airlines. To change my United password, I had to log out, go to the Sign In screen, and click “Forgot MileagePlus password?” in order to accomplish my task. Ridiculous.
2. Make your password requirements visible from the get-go. I can’t tell you how many sites required a number, an uppercase letter, or one of a very specific set of special characters — but didn’t tell me this info until after I submitted my password change request and an error message appeared. Your customers aren’t mind readers, so don’t make them guess your requirements. List them directly next to the appropriate field in the form’s initial (unfilled) state — and provide a visible cue (like a green checkmark) when each requirement is fulfilled.
3. Provide an option to reveal the passwords. I’m trying to make sure my new passwords are as secure as possible, and that means making them long, weird, and unique. And, of course, I want to make sure that I don’t mess up these lengthy character strings as I enter them (and then randomly add upper case letters or whatever’s necessary to comply with each site’s password requirements). That means I want to see what I’m typing, and not just a bunch of round circles.
4. Don’t make people type their passwords. I totally get that organizations want to make sure that customers have entered their new passwords correctly — and we’ve all fallen prey to cut-and-paste errors. But given that many customers (like me) now copy their passwords from random password generators, this type-in-the-password-confirmation-field rule is not only dated, but counterproductive, as it motivates me to choose a simpler password.
5. Test your change password functionality. This also goes in the “really wish I didn’t have to say this” bucket, but the change password functionality on multiple sites just didn’t work. For example, car rental giant Hertz requires the use of specific symbols: #$%^&!@. But the site doesn’t recognize any of these symbols when they’re typed in, making it impossible to change the password. And even though it appeared that I did everything correctly on the Delta Air Lines site, I repeatedly got a message that said, “Error occurred while updating user password.”
6. Don’t send passwords via email. Yes, I know the title of this post says “5 tips.” But I keep discovering more issues… Sigh. NEVER send your customers’ passwords through unsecured email.

Secure passwords are good for your customers and good for your organization, too. Use these five tips as a checklist for auditing and improving your site’s change password functionality.