If you want to know when new articles go
subscribe to the WebWord.com
Guest Article by
usability can ruin your web registration process. While passwords are a
painful fact of life, there are ways to minimize the problems that users
face. This article contains suggestions on how to best collect passwords
during the registration process, and it will help you determine if you
should allow users to save their passwords.
Passwords Are Painful
Browsing the web
ought to be fun, useful, and informative. At websites that require
password registration, however, more often the experience is slow and
frustrating instead. A poor password system at your website will stunt
your new user growth and cut down how often users return to use your
Why do websites
make it hard for their users to use their password-protected features?
Their authors don't understand how people use passwords. Remember this
about your users:
sure they're alone. Many users are at work, or school, or
somewhere else where they can't be sure if someone is looking over their
shoulder as they type in a password.
passwords depend on personal information. When you're sitting
there in front of a registration form it's difficult to come up with a
totally random password, so most people cast about for familiar words
and numbers related to their life, their families, even their favorite
They use one
password for everything. Scary but true, the vast majority of web
surfers try to use the same password wherever they register.
typing in passwords. They will almost always choose a "Save
my password" option if it's available.
suggest some best practices for collecting passwords:
1. Cover the
password field with asterisks (*) as you type. This is standard on the
Web, but it's amazing how many sites still don't cover passwords.
You'll always need a Confirm Password field, because users won't be able to
tell if they make a typo.
2. Never echo the
password to the screen. Instead, remind users of their ID and password
in a "Welcome to my website!" email.
3. The Terra.com
portal uses a password-reminder trick you can adopt. When registration
is complete, Terra hides the password in a pulldown, so users can choose
whether to see it again. Don't depend on the password reminder
question. Mother's maiden name, pet's name, hometown ... they're easy
for users to remember but also easy for the wrong people to guess.
Let your users
choose if it's safe to show a password reminder.
When users want a password reminder, validate them by asking for personal
info they've already given you like zip code and birthday. Then send
them a totally new, randomly generated password in an email, to the address
they gave you when they first registered. This way, even if someone
bluffs their way past the validation, they still won't be able to take over
your users' accounts.
You can allow
users to change their passwords back once they've returned to
4. Offer a Save
Password feature, defaulted to save, unless your website stores sensitive
information. You have to be careful with this feature -- to decide how
to use it, think about what could happen if users accidentally save their
passwords on public computers.
To Save, or Not to Save?
Type of Website
sites: premium articles, personalized start pages
auctions, retail, travel
Online bank accounts, 401K statements
Always require login for users to see or update their credit card number,
address or other personal info.
Keep in mind that
to your users, requiring a password is a hurdle. Set the bar low with good
password usability, and your website will enjoy repeat visitors.
Ledwell is Senior Producer for Direct Marketing at Terra Lycos.
An Internet professional since 1996, he is a battle-scarred veteran
of website usability testing, rapid prototyping, and eye tracking.