The Password design pattern: My single biggest web peeve
Friday, Mar 11, 2005
Okay, aside from the larger problems of having to have passwords at all, the need for multiple passwords to prevent your global security being lowered to the scruples/security of your weakest content provider, frequency attacks, and all the rest, my biggest peeve is entirely the site owner's fault, and is so easily fixed.

The following scenario happens to me at least twice a month:

  1. Go to rarely-visited site requiring registration (eg The Mercury News)
  2. Enter email address (I like that more and more places are using email addresses as unique identifiers instead of usernames. This is good.)
  3. Enter my most-standard password
  4. Find out that the password is incorrect. Try a variation
  5. Still incorrect, try another variation
  6. Asked again for my email address so they can send me a password-reset link
  7. Go to email, follow link to reset page
  8. On this reset page, and only on this reset page I'm told what the password requirements are. In this case, at least 6 characters, at least one of which can't be a letter
  9. Instantly know what my password was all along, based on these obscure restrictions

    And these steps are just icing on the SJ Merc cake:)

  10. 'Change' my password to what the password was all along
  11. Get presented with the site's home page, not the story I was originally trying to access
  12. Find the original article link I followed in the first place
  13. Click that link
  14. get presented with the LOGIN SCREEN.
  15. Be thankful that I have at least the chimplike IQ to remember the password I just entered
  16. Read the story I spent 10 minutes acquiring access to

Leaving aside the dumbfounded wonder of why my newspaper identification account has to be so secure as to necessitate password-acceptability constraints (Oh no! Someone is reading the news while pretending to be me!!), I ask you: how hard would it be to help out the user by reminding them of the idiosyncratic password constraints of your site after they enter the wrong password the first time? ("Your password was incorrect. Remember, SJ Merc passwords are at least 6 characters, one of which may not be a letter.")

For one of the most common design patterns on the web, it's amazing this one is usually so poorly implemented and non-standardized.

If you like it, please share it.

Hi, I'm Kevin Fox.
I've been blogging at since 1998.
I can be reached at .

I also have a resume.


I'm co-founder in
a fantastic startup fulfilling the promise of the Internet of Things.

The Imp is a computer and wi-fi connection smaller and cheaper than a memory card.

Find out more.

We're also hiring.


I post most frequently on Twitter as @kfury and on Google Plus.


I've led design at Mozilla Labs, designed Gmail 1.0, Google Reader 2.0, FriendFeed, and a few special projects at Facebook.

©2012 Kevin Fox