Did I Get #13 Wrong? – Do All Sites Need Similar Security?

Jared Spool

January 30th, 2008

In my article, 8 More Design Mistakes with Account Sign-in, Mistake #13 said:

Mistake #13: Not Explaining If It’s The Username or Password They Got Wrong

Returning to an electronics site they hadn’t used since last holiday season, the user entered what they thought was their email address and password, but it didn’t work. The error message was a simple, “Invalid Login. Please Try Again.” Was the password wrong or did they register with a different email address? (After all, they have had several over the years.)

The user tried several different combinations of email addresses and passwords, but none worked. Eventually, they left the shopping cart with a $500 purchase. They went from a very excited customer to a very frustrated one in a matter of moments.

Several folks wrote to tell me I’d gotten this wrong — that, in fact, this is intentional to throw off hackers.

It’s true that if you give an error message helping users know which they’ve gotten wrong, you are also giving prospective hackers information that makes it easier to violate the security of the site.

However, I’m wondering if all sites need the same security rigor. A site where a hacker could get at personal information and steal your identity requires great security.

But, does every site have the same restrictions? For example, an online forum where I can talk about my interest in magic tricks doesn’t need the same rigorous security restrictions as my mortgage account at my bank.

There are those in the security world who suggest that any breach in security is a bad thing and therefore every possible breach should be rigorously protected. Yet, maybe there’s another approach where we can decide, based on the information and functions we’re protecting, to err on the side of an easier experience some of the time.

16 Responses to “Did I Get #13 Wrong? – Do All Sites Need Similar Security?”

  1. Dustin Brewer Says:

    I know what you mean, I’ve had a really bad security experience with two companies recently. I’m not ashamed to mentioned them either. Sprint has recently added new security protocols that require you to create a user name with at least one number in it. Really? The password is also a little more complicated then normal— which doesn’t affect me as much because I use a 7 digit, letters and numbers password for most things.

    However, I have a pike pass for my local toll roads in the area and they have a password policy that makes me crazy. Their password has to be 9 characters, letters and numbers, and at least one uppercase letter. Really? I’ve searched through their site and the only personal information is my name and address which is basically freely available on the internet. You can’t make any changes in the system, and all you can do is pay your bill— which isn’t stored in any available control panel.

    I think security is an issue that needs to be taken with a little more server-side protection and a little less user interaction. Anything that makes the user experience easier is better then making your users remember some insane password combination that will never be remembered. I also use a lot of different usernames, emails and passwords for different sites and find it annoying when they don’t tell me if it is a username or password that I get wrong.

    Great post.

  2. Eric Meyer Says:

    On the other hand, there are still sties that need to be more aware of security. The American Express site restricts passwords to a maximum of eight characters. You literally may not have a password longer than that. And so far as I can tell they don’t require numbers, capitals, or anything else that would lead people away from dictionary words.

  3. Claude Says:

    The problem with “user-friendly” security is that when it is broken/hacked the little bits of information usually associated with the account will be used to build a better profile on the potential victim.

    So, you’re right, it’s a balance of usability vs. ultimate protection for the end user and I look forward to other’s suggestions as well.

  4. Sam Says:

    Excellent point, Jared. I’m facing this at my job also: The idea that security is an absolute concern that should always be considered. I would agree that it depends on the experience at hand, and the tradeoff should always be considered.

    I’m waiting for the day that someone who is both a usability expert and a security expert enters the industry. I personally don’t think usability and security need to trade off (unless you’re a fan of Vista’s UAC…), but as long as security advocates take such an absolute position (“those… who suggest that *any* breach in security is a bad thing”), I doubt progress will be made.

  5. Dustin Brewer Says:

    @Eric Wow, that is surprising. I’m not sure I understand the need for them to restrict the password length, seems like a pointless restriction.

  6. Sean Kane Says:

    Beyond general security concerns, it is also potentially a matter of privacy protection. I would assume it would violate the majority of privacy policies to inadvertently divulge that someone is a user of a service. Even if you aren’t actively trying to hack an account, letting someone know that there is an account at all is a breach of privacy. This is especially true for any site that uses email addresses as the account id.

  7. leovernazza Says:

    Well, I am glad to have opened this discussion ;)

    We have a tremendous user experience problem with passwords. I don’t want to remember them. I have 3 o 4 passwords and I use them everywhere. But, from time to time, there is a stupid service that requires me to put a password with the conditions they want, and so, I forget it (and then,I forget the service, because I know I won’t be able to remember new ones).

    There is another problem. What I do, in this case, is what most people do. So, the problem is the password will be the same in “the mortgage account of you bank” and in the “online forum where you can talk about my interest in magic tricks”, with a high probability. Well, maybe not in that forum, but in the tracking system you were bound to login after your last purchase…

    And it is a problem because we know this, and we cannot just blame the user.

    In my opinion, we need a better solution than usernames and passwords, but in the mean time, we will need secures sites to keep the “global or aggregated user experience”.
    (Does this concept exist?, ok, I just invented it ;))

  8. Abu Says:

    Even though Site A might not need much security, a more rigorous approach to security is a favour to its users.

    Once a user is able to establish the credentials of a victim through a less secure-conscious site, they can then scour the web for other more valuable sites which the user uses simply by googling their username.

    I am sure, as I was once one of them, that the password of many PayPal accounts is the same as the forum account and, although the forum requires a username, the email address can be found by logging into the forum.

    I think that, whilst good UIE is essential, there should be no leeway in this issue.

  9. Colin Says:

    The refusal to specify is pointless anyway, because as soon as you click the “I forgot my password” link you can usually find out whether you got the username correct. On the “email me my password/reset password” page, if the username isn’t correct it typically tells you so.

  10. FBB Says:

    I guess we shouldn’t just think about security in terms of protecting traditional things e.g. losing money, posessions etc.

    It can be about a simple loss of control. Losing identity (all or part) online – or at least having it hijacked can be very damaging, possibly more so than losing posessions.

    Personal security is no longer simply about protecting the more tangible things in life.

  11. Tom Davis Says:

    Sometimes with security implementation — like with anything — developers just use what has always been considered ‘best practice’ even when better solutions have been found. And sometimes it has to do with what users expect and believe to be indications of a secure environment.

    Not giving an indication of user/password could be based on a policy of not storing either userid or password but storing a hash of the two. Or it could be that that’s the way we’ve always done it, in which case a better solution would be to require a few seconds between credential submissions. For a user actually typing the information, it wouldn’t be too frustrating because he or she would probably be spending some time trying to remember or find their password. But it would be enough to hinder an evil doer. And then allowing

    The idea that American Express has a wrong-headed is probably a wrong-headed idea. Just as you could implement slow-down on failure procedures, you can also implement a three-strikes you’re out procedure whereby you are told to call the Amex hotline. Amex has great customer relations infrastructure, and while I will do almost anything to avoid calling some companies, I would quickly call Amex to get my actual login information. In this case, mandating a memorable password might be a much more secure policy than requiring an impossible to remember one and then not providing quick out-of-channel customer support.

  12. Jason Zipperer Says:

    @ leovernazza -
    A trick to solve the “remember password” issue is to have a single password that uses mixed-case alpha-numeric values as well as punctuation. Then modify it with some site-specific value that could be remembered or figured out for each site it is used with. Using modifiers like this can also give you multi-tiered security without the additional memory drain of completely different passwords.

    This raises another issue with security. Is there a solution to be found with a little education? Instead of just requiring certain character limitations, perhaps we have some text describing the benefits of using numbers and punctuation in usernames and passwords. Allow users to become smarter about their online security instead of just putting a control in without the associated knowledge to go along with it.

  13. Paul Says:

    I agree with Abu.

    Although I would like to agree with Jared, that sites “where I can talk about my interest in magic tricks doesn’t need the same rigorous security restrictions as my mortgage account at my bank”: I think we have a problem in treating these sites as isolated entities. Whilst the forum site may be a completely separate entity from the banking site, they *are* connected: by you, as a user of both.

    To illustrate: several years ago, before online security and identity theft became major concerns, I worked for a magazine publisher, developing an authentication system for the myriad of sites they had mirroring their print publications. It was one of those projects where the requirements evolved and mutated over time.

    One of the requirements was that a username should be the user’s email address, as this should always be unique. Another requirement was that passwords had to be stored as plain text, so that admins of the system could simply look in the database to retrieve a lost password and log in to sites using *exactly* the same details as users to check that authentication details worked. At one point unsuccessful login attempts where required to specify exactly what was wrong (unknown username, or correct username, wrong password, account expired, etc.): we developers complained bitterly about these last two requirements, but, although we did manage to get the unsuccessful login messages changed to a generic unsuccessful message, the plain text passwords remained.

    So what did we have? A database that had in excess of half a million email addresses, many of them hotmail, yahoo, etc. addresses and passwords. What were the chances that the passwords were those that were used to access the email accounts? As a test a project manager on one of the magazine sites took 2 hotmail addresses at random and managed to access the email accounts using the passwords in the db: suddenly security became a bit more of a major issue!

    As IT professionals, we know that we *should* choose different username / password combinations for anything we access online, but how many of us actually do? And if we as professionals don’t do what we know we should, what are those who don’t know doing?

    Jason asks “Is there a solution to be found with a little education?”: unfortunately, we still have a duty to protect those who are un-educated or refuse to become educated.

  14. leovernazza Says:

    Paul, I agree with you. What you call “not isolated entities” is what I wanted to express with the term “aggregated or global user experience”.

    Who should care about it? Because intended or not, every site is part of it…
    Is it valid to just focus on your site against the global experience of your user?

    Jared, can we think in such an concept as something real? What do you think?

  15. Luis Rei Says:

    Do All Sites Need Similar Security? Probably not.

    Just a few thoughts:

    - The “magic tricks” forum may share the same underlying software as other more security sensitive sites.

    - Who should decide what should be more secure? Users might not be aware of the security risks involved. A lot of the times not even developers are. Sometimes, security experts themselves aren’t aware until later (when it’s already too late for some).

    - I think OpenID will solve this (not remembering logins/passwords) problem in the near future (couple of years).

    - In engineering, security and safety often involve trade-offs with usability and performance. It’s very hard to decide how much “trading” one should do.

  16. Martin Gjesdal Says:

    #6, Sean: I totally agree with this and I am willing to overlook the usability concern just to stop users from being able to test out different e-mail addresses (aka usernames) and find out whether this person uses the service.

    The only exception might be the ones with lame username rules that prevents one from using e-mail addresses.

Add a Comment