In loving memory, alpha-numeric passwords


By Geoff Anderson, CEO, PixelPin

The term “data breach” will send shivers down the spine of any business leader. A string of high profile cyber-attacks has highlighted that nobody is safe and businesses of all sizes are looking at how they can protect themselves from risk.

Companies are making wide-scale investments in security to protect their staff, customers and revenue. This comes in the form of training to prevent staff error like opening phishing emails, network analytics to catch malicious traffic and login technologies to protect user accounts.

This raises the age-old cybersecurity conundrum of security vs. convenience. Typically, tighter controls and more security adds extra layers of process. While this is enforceable internally, that’s not so much the case when it comes to customers or users. A lack of convenience can cost you revenue.

The challenge with passwords

We’re all familiar with the frustration that can come with making an online purchase. You finally find exactly what you are looking and have spent time to make sure you have the best deal. It’s in your basket and you are ready to pay. But wait. You’ve forgotten your password. You’re now typically faced with two options.

You could go through the trouble of resetting your password (or create a new account), something that can be time-consuming and cumbersome. Alternatively, you can give up on your purchase, either to start again elsewhere or forget about it entirely. The fact is the vast majority will give up: 75% of users won’t complete their e-commerce site purchase if they need to reset their password.

Call centres + password resets = high costs

When it comes to losing sales, companies are rarely slow to act but they need to strike a balance between convenience and security with customer login lest they face a data breach that is both devastating financially and for their reputation. A faster password reset service is one option but it is costly. Gartner says between 20% and 50% of help-desk calls are related to passwords and the average reset call costs on average $35. Across the course of the year, a company handling just 20 password reset calls a day would incur costs of over $180,000.

The trouble with social login

The other way many have gone is social login: one-click and you’re in via a third-party account with the likes of Google or Facebook. On the face of it, simple and secure but the reality is quite different. Social login doesn’t authenticate a user, rather it authorises Facebook or Google to log in on their behalf. From a privacy point of view, this is a minefield as it gives users’ data away in exchange for convenience. With greater scepticism around social media companies and a greater interest in personal privacy, this might not be the best option for a lot of organisations.

A picture is worth 1,000 words

So it might seem that passwords are the lesser of all evils but actually, the alpha-numeric password is hardly fit for purpose itself. A simple dictionary hack can break into almost any character or numeric-based password in a matter of hours. That goes without mentioning the fact many passwords are extremely common or easy to forget as I outlined above. The real answer is to change the way we look at passwords altogether.

The answer is visual PIN: a combination of an image and a sequence of points to create a dual-layer PIN that is highly secure, unique to the user, and easy to remember. The strength lies in the picture superiority effect: we remember in images rather than words making it far easier to recall an image-based password than a traditional character-based password. As a result, password reset rates are significantly lower than the average for character-based password reset rates (17% vs more than 33% of alpha-numeric passwords forgets – and this is one of the more flattering comparisons for alpha-numeric passwords). It’s more secure too and less susceptible to hacks and guesses.

As more of our lives are lived online, it’s only right that we want to protect ourselves in the digital world as much as the real world. The companies and organisations have a responsibility to help users protect their data, identities and privacy. At the same time, they need to ensure a positive user experience or risk getting left behind. With solutions that blend usability and security available, relying on alpha-numeric passwords is like taking a bus to work when you have a Tesla on the driveway.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.