January 30th, 2008
In my article, 8 More Design Mistakes with Account Sign-in, Mistake #13 said:
Mistake #13: Not Explaining If It’s The Username or Password They Got Wrong
Returning to an electronics site they hadn’t used since last holiday season, the user entered what they thought was their email address and password, but it didn’t work. The error message was a simple, “Invalid Login. Please Try Again.” Was the password wrong or did they register with a different email address? (After all, they have had several over the years.)
The user tried several different combinations of email addresses and passwords, but none worked. Eventually, they left the shopping cart with a $500 purchase. They went from a very excited customer to a very frustrated one in a matter of moments.
Several folks wrote to tell me I’d gotten this wrong — that, in fact, this is intentional to throw off hackers.
It’s true that if you give an error message helping users know which they’ve gotten wrong, you are also giving prospective hackers information that makes it easier to violate the security of the site.
However, I’m wondering if all sites need the same security rigor. A site where a hacker could get at personal information and steal your identity requires great security.
But, does every site have the same restrictions? For example, an online forum where I can talk about my interest in magic tricks doesn’t need the same rigorous security restrictions as my mortgage account at my bank.
There are those in the security world who suggest that any breach in security is a bad thing and therefore every possible breach should be rigorously protected. Yet, maybe there’s another approach where we can decide, based on the information and functions we’re protecting, to err on the side of an easier experience some of the time.Tweet