Originally published: Jan 14, 2008
(Editor's note: In Part I of this article, Jared talked about the first eight of the design mistakes with account sign-in. In this article, he shares eight more mistakes.
Designing an account registration and sign-in process that doesn't frustrate users turns out to be very difficult to achieve. It looks easy at the outset, but a pile of subtleties can sneak up on your experience, making something that should be simple become stressful for the users.
In my recent article, I discussed eight common design mistakes with account sign-in. In this article, I outline eight additional mistakes we've seen as we watch users try to create accounts and sign into the site.
On the Cisco site, when selecting a User ID, users are told that it "must contain at least one letter and no spaces. May contain numbers." It's only after the user enters a six-letter user id that an error message appears amending the rules that the id must be "a length between 9 and 50 characters."
It's not clear why Cisco felt the need to surprise short-labeled users with this additional requirement. None of the users we tested were pleased to learn this additional information.
When creating a new Google Mail account, Google provides a "Check Availability" button, which will inform users about the minimum length requirement (6 characters). This is better than Cisco, in that the user isn't forced to fill out the entire page before discerning whether their desired account name is legal and open.
Blinksale does one better, giving feedback on every character typed. As the user enters an id, the design tells them it is too short or contains illegal characters.
We couldn't stop picking on Cisco without giving you one final peek into their registration process: the page explaining how to choose a password is two-and-a-half screens long. They don't want anyone buying golf balls under false pretenses.
Many people choose passwords based on the underlying importance of the information. They ask themselves, "How much trouble will I get into if this information gets out?" Several folks we talked to use a small number of passwords, each chosen for the underlying security.
The tougher the security policy, the more likely their regular passwords won't work. That will mean they need to create and remember a new password -- something that involves a lot of cognitive work (and probably not work they thought they'd have to sign up for). It's important that sites not go overboard with security requirements unless there's a lot of risk involved with a breach.
One user was recently locked out of their own bank account because they couldn't remember the answers to the challenge questions. It had been almost two years since they first entered the information. One of the questions, "What street did you grow up on?" confused them, since they had moved frequently. They couldn't remember if they'd said the name ("Forest") or the entire street ("Forest Drive").
(To add insult to injury, the telephone support person who unlocked the account told the user, "Remember, the answers are case sensitive." Not only do you have to remember the answer years later, you have to remember exactly how you capitalized it.)
Challenge questions, a new technique to help with password recovery, are still much unproven. It's hard to create questions that will stand the test of time.
Virgin America has a crazy set of questions they ask, including (we're not kidding), "Who is my favorite actor/actress?" "What would be my 'Desert Island Disc'?" and "How much wood would a woodchuck chuck if a woodchuck could chuck wood?" We're hoping they don't really try these for long-term password recovery.
On AllRecipes, the site has a great feature where you can save a discovered recipe to make it easy to retrieve later. Of course, you need an account first. The site asks four screens worth of questions, few related to saving recipes. When done, the user is dumped on the home page and forced to find the recipe they originally wished to save.
Coding the return point from the registration process is technically very difficult. However, don't underestimate how difficult it is for the user to get back to their initial goal. Or, how frustrated they'll become if they are dumped someplace random.
Returning to an electronics site they hadn't used since last holiday season, the user entered what they thought was their email address and password, but it didn't work. The error message was a simple, "Invalid Login. Please Try Again." Was the password wrong or did they register with a different email address? (After all, they have had several over the years.)
The user tried several different combinations of email addresses and passwords, but none worked. Eventually, they left the shopping cart with a $500 purchase. They went from a very excited customer to a very frustrated one in a matter of moments.
At Staples, a wrong username generates the message, "We're sorry, but we cannot find an account for this username and/or password." Whereas, a wrong password generates, "The username and password combination does not match our records." A clue, just this subtle, can help a user sign in a little faster.
At American Express, the site tells you the password is invalid, even when the User ID is incorrect. To add insult to injury, they have two separate recovery procedures: one for the wrong User ID and one for the wrong password. The best sites have a single, simple recovery process regardless of the user's error.
Many users have registered on so many sites, they sometimes can't remember which sites already have their account information. As a strategy, many users will try the most likely username and password combination first, just in case they've already created an account. If this strategy fails, they hope to create a new account right after.
On the CollegeBoard site, a failed password will result in an error message suggesting the user click on the "Forgot your user name link?" User can then enter an email address on record, to send the recovery information too.
However, if there is no email address on record, the user now needs to go to Plan B: creating a new account. Unfortunately, on this page, there is no way to do that. The user has to go back multiple pages in the history to create a new account.
Telling the user you'll send their password in email works great, assuming they know the email address you're using. Unfortunately, many users change their emails over time. (It's said that one-third of all email addresses go dormant each year.) Or, they may be someplace where it's inconvenient to check their email, such as home when they've used their work email.
Midwest Airlines lets users enter their frequent flyer number, email address, or user defined name. Other sites will look up phone numbers and address components.
If users forget their username or password at JC Penney, they'll need both their email address *and* their billing phone number. Requiring one or the other would be great, but requiring both makes it exponentially more difficult to recover the password and likely they'll lose the sale.
Creating a perfect registration and sign-in process takes tremendous work. The best way to identify the problems is to conduct periodic usability tests, with regular registered users, infrequent users, and first time users. If your tests are like the ones we've conducted, you'll see these mistakes (and probably others) emerge almost instantly.
Read related articles: