fox@fury
The Password design pattern: My single biggest web peeve
Friday, Mar 11, 2005 @ 11:01am
Okay, aside from the larger problems of having to have passwords at all, the need for multiple passwords to prevent your global security being lowered to the scruples/security of your weakest content provider, frequency attacks, and all the rest, my biggest peeve is entirely the site owner's fault, and is so easily fixed.

The following scenario happens to me at least twice a month:

  1. Go to rarely-visited site requiring registration (eg The Mercury News)
  2. Enter email address (I like that more and more places are using email addresses as unique identifiers instead of usernames. This is good.)
  3. Enter my most-standard password
  4. Find out that the password is incorrect. Try a variation
  5. Still incorrect, try another variation
  6. Asked again for my email address so they can send me a password-reset link
  7. Go to email, follow link to reset page
  8. On this reset page, and only on this reset page I'm told what the password requirements are. In this case, at least 6 characters, at least one of which can't be a letter
  9. Instantly know what my password was all along, based on these obscure restrictions

    And these steps are just icing on the SJ Merc cake:)

  10. 'Change' my password to what the password was all along
  11. Get presented with the site's home page, not the story I was originally trying to access
  12. Find the original article link I followed in the first place
  13. Click that link
  14. get presented with the LOGIN SCREEN.
  15. Be thankful that I have at least the chimplike IQ to remember the password I just entered
  16. Read the story I spent 10 minutes acquiring access to

Leaving aside the dumbfounded wonder of why my newspaper identification account has to be so secure as to necessitate password-acceptability constraints (Oh no! Someone is reading the news while pretending to be me!!), I ask you: how hard would it be to help out the user by reminding them of the idiosyncratic password constraints of your site after they enter the wrong password the first time? ("Your password was incorrect. Remember, SJ Merc passwords are at least 6 characters, one of which may not be a letter.")

For one of the most common design patterns on the web, it's amazing this one is usually so poorly implemented and non-standardized.

image

Aboutme

Hi, I'm Kevin Fox.
I've been blogging at Fury.com since 1998.
I can be reached at .

I also have a resume.

recentWork

As a user experience designer for Google, I led the design of Gmail 1.0, Google Calendar 1.0, and Google Reader 2.0.

Searchfury
backMatter

All my opinions are belong to me.

©2008 Kevin Fox

Subscribe to Fury.com