Password generator
Enhancing digital safety through strong passwords
Brief
Design password generator for Microsoft Authenticator & Microsoft Autofill Chrome extension.
Background
We store an ever-increasing amount of personal and sensitive data online. As our reliance on digital accounts grows, so does the concern for cyber safety and data security. Today, many security breaches can be traced back to the use of weak passwords.
Even through there’s a reduction, credentials attack still remain the largest method deployed for breaches. Source - DBIR Report 2024: Results and Analysis - Introduction | Verizon
Context
What makes a password weak? Simply put, a password is weak if it can be guessed or interpreted by anyone other than the account owner. Reusing the same password across multiple accounts also makes it weak.
The recommendation is to use passwords that are:
Pattern free – no predictable sequences or decipherable logic
Hard to guess – not based on personal or related information
Unique – different for every account
Complex – a mix of uppercase and lowercase letters, numbers, and special characters
In technical terms, strong passwords have high entropy—meaning they’re highly unpredictable.
It isn't easy to come up with such strong yet unique password, for all our accounts. It is even more challenging to remember them. However, they significantly reduce the chances of account being compromised.
Task
Design a password generator that seamlessly integrates into the user’s workflow of creating a new account or update an existing password, without requiring them to visit the tool. Once the suggested strong and unique password is used, it should be automatically saved, eliminating the need for the user to remember it.
My role
I took over this project at a stage where in-app experience for password generator was already designed. I worked on enhancing the in-app along with designing in-context flow further and solving for offline password usage. I was also responsible for making it meet Microsoft’s accessibility standards and making it compliant as per privacy & legal requirements.
Approach
Initially, we displayed all customization options alongside the generated passwords. However, the interface felt so complex that many research participants chose to skip the suggestion entirely and type their own passwords, which defeated the purpose. Since removing customization wasn’t an option, I redesigned the flow to hide these options by default in the in-context view. They remained visible in the in-app view, where the purpose and user expectations were different.
We were expecting that users are likely to find it challenging to distinguish between 1 & I, 0 & O so we colour coded the passwords to distinguish alphabets from numbers to special characters.
Remaining details are omitted in compliance to NDA
Final design
Here’s the final version demoing the feature capabilities. The GIFs below were created for Microsoft blog announcing this feature - Generate strong passwords with Microsoft Authenticator - Microsoft Community Hub
Impact
Like many Microsoft products, this feature attracted significant attention in tech blogs and online communities. While I can’t share the exact numbers, these articles offer a glimpse into how the community at large received it.