Skip to main content

Passwords are a pain

Posted by: , Posted on: - Categories: DevOps, Service design

Image of a laptop keyboard with a note stuck to it entitled 'Password: password 1'

The problem with passwords

Passwords. Users don’t like them. I don’t like them.

Tell me something. Is your password the date of your wedding anniversary? Is it your child’s date of birth? Is it your mama’s maiden name? Yes, I said your mama. Or better yet, is it the name of your favourite football team?

And do you have a really secure, long password with underscores, numbers and other keyboard symbols? How do you remember it? Store it on a Post-It note in your drawer?

Is this starting to sound familiar?

I’ll tell you something else. By looking at your Facebook profile or LinkedIn account, I could probably take a guess at when your anniversary is or when your child was born.

Another thing. How many times have you forgotten that super-long fancy-pants password? Perhaps you have shared it with your partner who has also forgotten it?

Passwords are a pain

I work a lot on public websites.

And what do we ask users to do when they fill out a form on a public website and save that form for later? We ask them to create a username and password, right? We certainly don’t want any old Mo, Joe or Joanna Public getting access to the information on that form.

The smart folks across user research in government have carried out user testing on the issue of passwords. Guess what? Users also agree….

… passwords are a pain.

Could we solve the problem of passwords with ‘magic’?

That’s ‘magic links’ to you and me.

Magic links is the name of the clickable link that’s created when a user registers for a service online.

The user provides their email address. The magic link is emailed to the user’s email address. To access the service online the user then just clicks on the magic link provided in their email.

Most of us have been through this process online. It looks like this:

Image of a screenshot of a government web page showing a message stating ‘Check your email’.

We tested magic links with users on one of our websites recently and all was going well until…

we went live...


What happened?

When some users clicked on the magic link for the very first time, the website returned a message telling the user their link had expired. Why?

What was even more strange was that this only happened to some users, not all.

And so we were stumped. What was going on?

Generating other options to avoid using passwords

We started looking at our other options for generating magic links so users could securely access websites, options that didn’t require users to remember a password.

We tried using codes instead of links. Send the user a code, user enters a code to access the website.

But we abandoned this option. Chris Taylor, Head of Interaction Design at the Home Office, pointed us to a GitHub issue raised by GDS that advised against this. It adds more of a burden to the user.

GDS sprinkles its ‘magic’

That’s when I posted our problem to Chris Hill-Scott, Designer, at GDS who wrote the ‘Identifying users’ guidance.

Chris explained why users were seeing a message telling them their magic link had expired even when it was the first time they had clicked on it:

Lots of things click links before you can. Email virus scanners might click links to check their content for malware. Instant messaging apps might click links to render previews.

‘Magic’ moment: the solution

That made sense to us.

Chris Long (so many Chris’s in government), Test Manager, of our team came up with a solution.

What if we were to enable the magic link to be used multiple times, but expire it only when the user takes the additional step of clicking on a Start button?

Chris Hill-Scott gave us the thumbs up to proceed with this approach. So we were able to send the user through a journey that looks like this:

  1. User clicks on a link in their email
  2. User receives a message stating ‘Almost there’ inviting the user to click on the green Start button (as in the diagram below)
  3. User clicks on the green Start button
  4. User is taken directly to the first page of the form on the public website.

Image of a screenshot of a government web page showing a message stating 'Almost there' with a green 'Start' button.

And as if by magic, it worked.

So we found a solution that doesn’t require users to remember a password. Result, right?

Follow some history around this pattern on the design system log.

Enjoyed the article? Join us!

I have fun at my job. I love building stuff and, best of all, breaking stuff. I sometimes fix things I break. Honest.

It’s also pretty cool new tech too: Open-source, Node.js, Google Puppeteer, Docker, Drone, Kubernetes, Amazon Web Services, PostgreSQL and Redis. I don’t just do dev, I do the DevOps too.

We also work collaboratively and in an agile way.

We don’t wear suits. You can if you want to, but I prefer t-shirts.

Image of Sulthan Ahmed, Technical Lead and Lead Developer for DDaT at the Home Office, author of this article.

Here is our Home Office GitHub repo with plenty of opensource code.


We’re hiring

We're setting high standards and we're building for the long term. Look out for new roles in our Manchester, Sheffield and Croydon Hubs.

Please visit Civil Service Jobs to see the DDaT jobs on offer at the Home Office. We’re advertising a number of positions including Developers, DevOps, Tech Leads, User Researchers, QAT Analysts, Service Architects and Test Engineers.

Sharing and comments

Share this page


  1. Comment by Rosalie posted on

    Really enjoyed reading this, thanks for sharing!

    • Replies to Rosalie>

      Comment by Sulthan posted on

      thanks for taking the time to read it and posting a positive comment 🙂

  2. Comment by Naveed Malik posted on

    Great article and fun to read! Well done to everyone involved.


Leave a comment

We only ask for your email address so we know you're a real person

By submitting a comment you understand it may be published on this public website. Please read our privacy notice to see how the GOV.UK blogging platform handles your information.