Lets Help the Users – Information Overload

Lets just start to think about the number of things we need to remember off hand just to get through our day;

• telephone numbers (your cell, home, work, partner, family…)
• pin numbers (debit card, credit card, cell phone, telephone banking…)
• addresses & postcodes (home, work and the all the addresses you have stayed at for the past 5 years…)
• dates (birthdays, anniversaries, concert dates, pet vaccinations, bills due…)
• others (balance available, bus numbers, groceries…)

However, the most overwhelming thing to remember is passwords.  There’s your work password, server passwords, database passwords, home computer passwords and then there are also offline passwords like your Sky password.  When phoning my mobile provider, not only did I have to answer the security question, BUT I also had to remember what the security question was!  I never did remember or manage to turn my roaming on, and after all that frustration, I discovered on holiday that it was on by default.   Then there are all the usernames and passwords for our various online accounts – email, facebook, ebay, amazon …

My pet hate however, are those passwords that need to be changed every month, have to be between 10 and 12 characters, must include special characters and can not be the same as any of your last 12 passwords.  These “security” rules are normally implemented on work computers.  I understand the need for security on company accounts, but by making it so difficult, companies are actually decreasing their security.  I would guess about 90% of employees at these companies write their passwords down somewhere and keep it by their desk.  I’ve done it!  There’s just no way you can remember your 8th random secure password.

So what can we (as developers) do to help?  Many of the web applications we write require user login – an account name and password.  Here are some tips that will make life easier for the user:

• Don’t assign a username – a user will generally have a couple of usernames they use which will be easier for them to remember.  This also avoids possibly assigning embarrassing or offensive usernames.  My sister’s randomly generated ISP username is sex-01.  No jokes!  She loathes having to phone them about her account and will avoid it if possible.  Do you want people to have that stigma associated with the service you are offering?
• When possible, use email addresses as usernames.  A person’s email address is their own unique value they will remember.  If your site becomes popular and people choose their own usernames, they will have to choose a new username if theirs has already been taken – yet another piece of information people don’t need to remember.
• If using an email address as a username, label the login form as “Email Address” and “Password” rather than “Username”.  It’s a nice prompt for the user.
• Email the username to the user once the account has been created.  Be sure to include keywords in the email which they would use when searching for the account details at a later date
• Let the user choose their own password (a simple one that makes a big difference yet some sites will only assign you their own randomly generated password)
• Do not email the password or store it in plain text.  As soon as I receive an email with my password in it, I consider the password as compromised and will only use “insecure” passwords on this account.  Generally people only have a couple of passwords which they reuse so be sure to keep their information safe.
• The one case you can email a password is if you offer a reset password functionality.  You should then generate a new password, email it to the user and on the next login, prompt the user for a new password.
• Do not be too restrictive on your password conditions.  If your site stores sensitive data, by all means run validation to make sure the password is secure enough but don’t be too restrictive on attributes like max length.  It has been the case where some of my personal passwords are too long to be accepted by the app (and we’re only talking about a length of approx 14 characters here!)
• As mentioned before (but it’s worth repeating) – Make sure passwords are encrypted!

So lets be nice to the users and try make their lives easier.  After all, we’re users too.

Advertisement