The top 4 things you should never do to your users
“Good manners are made up of petty sacrifices.”
-Ralph Waldo Emerson
Emerson was on to something. To be polite is to make life easier for those around you. To be rude is simply the opposite. In the world of software, the rudest thing you can do is make your users work harder than they absolutely have to.
Consider this as you read the list below. I think you’ll find it’s the common thread in this tapestry of annoyance.
1. Make them log in by account number.
Using a number to identify users makes life easy as a developer. “Well, we’ve already got a uid column in the user table, let’s just have everyone use that for their login.” Great! Done. On to the next feature.
Awful.
Remembering a long string of digits is hard. Too hard. Because of this, you have effectively tasked me with keeping track of this number forever. And I pretty much hate you for it.
If you must start your users off with account numbers, always give them an option to associate some an alpha-numeric user name with it. People like mnemonics. It’s more work, but only for you.
This, by the way, is one reason we’re all not using ICQ today.
2. Enforce complex password requirements
This is closely related to the first item. If you are not holding highly-sensitive data for your users then drop your password complexity requirements, and I mean completely. If I want to use “Ben” as my password everywhere just let me. If you enforce arbitrary complexity there’s a chance I won’t be able to use one of my favorite passwords, and you’ve again tasked me with recording this information somewhere.
Complex user passwords provide a false sense of security anyhow. An individual compromised user account is actually no big deal. What you should really be spending your energies on is making sure no one can steal your entire database of clear-text passwords, or training your employees not to carry sensitive data, unencrypted, on their sure-to-be-stolen-someday laptops.
3. Make them confirm their email address to register.
I posted last week that you must relentlessly streamline the process by which users register for your site. The back and forth to confirm an email is a serious hurdle to throw in front of users who are considering registering. I often won’t sign up for sites just because I assume I’m going to have to go through this dance with them.
Check out this google search for “disposable email.” This is an entire class of web applications spawned simply because people hate confirming their real email address (I recommend Mailinator by the way.) When users will invest real effort simply to work around something you’ve done, you know you have a horrible idea on your hands.
Note: if you simply must confirm email addresses, at least let your users login immediately and go back to what they were doing. Send the confirmation email immediately, but give them ample time to actually click your message and confirm.
4. Make them opt out of being spammed
I find this one particularly offensive.
I just created a brand new account at Yahoo. During the process, I was not asked to opt in to any sort of marketing whatsoever. But check out what I see if I go to my “Marketing preferences” tab.
Wow, thanks guys. You guessed correctly that I wanted to be signed up for 13 varieties of spam. By default. Without notice.
It’s crap like this that makes me glad Google is going to slowly crush you out of existence.
Any time you find yourself making a decision that makes you money but will annoy your users you have just screwed up.
Let’s all just agree to be a little more polite to each other.
(Angry face by Jan Tik)
(Damn It by base2wave)
Social Bookmark : Technorati, de.licio.us.
Leave a Comment
If you would like to make a comment, please fill out the form below.
I like how SpamGourmet asks you to confirm when signing up.
I just use http://mytrashmail.com/ - it does everything you talk about right, and then some. You don’t create an account - you just log into an inbox. No registration required, no passwords to keep track of. Of course it doesn’t forward e-mail to your actual e-mail account, but you’re already on the site, anyway, and you won’t ever have to cancel the account when the spam continues coming in.
Whoa, there is a clear reason to make people confirm their email addresses: not to make sure they have a legitimate email account, but rather to make sure that someone does not take another person’s email address.
If I know my friend’s email address is jim@bob.com, I can pre-hijack his account…
I agree with everything you’ve said here, except for the bit about password strength. Identity theft is easy because people use “Ben” for their password on some friend’s blog and also on their Wachovia online banking account. Users don’t think about how stupid this is, and if we make them think about it, it will become habit. I, for one, am not willing to take responsibility for someone’s checking account being cleared out.
> Any time you find yourself making a decision that makes you
> money but will annoy your users you have just screwed up.
Well, that depends: Do you want to be in business just for the next two or three years, and then fail because nobody will use your service any more? If that’s your goal, then you haven’t screwed up at all!
If you planned to keep this business going for more than, say, five years, then I agree completely.
@Lucas: Online Banking isn’t the same as a chatbox, forum or wikiwikiweb. If someone steals my wikipedia account, i’ll create another. BFD.
Right on, Aaron. Double-opt in prevents someone from, say, taking the email address of an enemy and signing it up for 100 newsletters.
It would take 10 or 20 minutes to create hours and hours of pain for someone. Until they unsubscribe from all that garbage, you’ve fucked their email account.
I like 2prong.com for short-term emails. It’s no-click, if you visit the site it copies the email into your clipboard and starts checking for responses.
The other big thing is that it rotates domains semi-monthly, to skip by the ‘no free email’ blacklists.
Sure, it’s good to verify a user’s entered in a valid email address for all the reasons Aaron and D said. But why even require an email address if your service (for instance, a chatbox or forum or wiki) has absolutely no need to send you email? If a user wants email notification later on for whatever reason (like getting notified of pms and whatnot), then let them fill in and verify that bit later.
@Foobar: My point is that, unless you enforce some password requirement, a user could get away with using “Ben” for every account they have on the web, because it’s so convenient. Then all someone has to do is crack their wikipedia account, and suddenly they have access to their email account, Wachovia account, etc. We’re the experts. It’s our responsibility to inform internet users and, when necessary, force them to do what’s safe and beneficial for them. Would you like it if your stock broker knew everything in your portfolio was about to tank but didn’t advise you to sell? What’s he there for if he doesn’t protect your money?
I disagree about making them confirm their email to register. There is a teenage idiot with the same name as me going around registering for sights, and he thinks my email address is his. Bearshare let him register and now their messages comes to my inbox.
Ideally, to combine adressing my concerns with yours, they should require you to confirm your email before you can get emails from them for some function. So sign up yes, but you must confirm before you can turn on email notifications.
#5 should be:
“Don’t REQUIRE users to change passwords, and especially don’t require them to change passwords in intervals that are shorter or around how often they visit the site.”
I have a student loan through a company that requires a password change every 30 days, and seeing as I log in to the site only once a month to pay my loan, I have to change my password to something entirely different every month, and it can’t be something I’ve used the last 5 times. I can’t do ANYTHING on the site until I’ve completed this completely unnecessary act, either, so paying my bill, which should be a 1 minute process, is now a 5 minute process because I have to reset my password every month as it makes no sense to remember a password I’ll only need for 30 days. ARRGHH. Which means it’s far faster and more simple for me to just write a check and send it in their “pre-paid” envelope and require a human to open it and process it rather than having the whole thing automated and as such, the whole thing makes no sense from both a user and system standpoint.
I should clarify to not require a password change unless certain conditions are met, such as attempted access by multiple IPs or frequent lock-outs… the obvious methods of breaking into accounts.
One of the things that really gets my goat is when I use “+websitename” in my email address, and they call it invalid.
If I can use that convention, I’ll use my normal email address—at least then I’ll be able to see who is giving out my information, and I can just filter all of it out. If they call it invalid, then I’ll get a throw-away address.
I agree with all except 3 - what is worse?
Asking a user to click a link in an email they will get, or asking all your users to deal with spam because the spammers sign up with crap email addresses and start posting their garbage on the forums?
I think having to click a link (you dont even have to type anything) is a small price to pay to reduce the volume of spam that person would have to deal with.
Also, yahoo is evil. They do absolutely nothing to stop spammers. I once had a yahoo store spam my bulletin board. I reported this to yahoo and i KNOW it was the store itself spamming because they used the same email address to verify their account as was posted on the store website. After reporting this to yahoo and CC’ing the report to the store itself, the store tried to mailbomb my inbox. I reported this to yahoo…yahoo did nothing. Yahoo doesn’t care what it’s users… at least the paying users, do.
I’d like to add another: asking users to enter their email twice, “for confirmation”.
I can understand entering your password twice, since password fields are masked, but emails? That’s just asking for copy and paste.
As far as #3 goes - the goal isn’t always to confirm that this is your One True Email Address (so we may spam you), but often simply to confirm that this isn’t someone *else’s* address you’re using. Fraud is a pretty big problem, and letting people register for a service with any address they want is… problematic. At best, it provides some fun opportunities for pranking.
Personally, I’m rather glad that if someone tries to sign me up for most services, at least I’ll get the confirmation email, at which point I can simply not confirm it. Beats the other way ’round, I say.
If you have to choose between e-mail confirmation and pre-moderation of all content (due to possible vandalization) - I vote for e-mail confirmation.
Login by account number? I thought noone uses it besides GoDaddy =)
I think your points does make sense. But this set of points should not be used to judge the all the sites on the web. Its not fair. Every site has their own unique set of requirements. Take for example the point on validating emails. Forums will need to make sure that it is legitimate users who are posting comments. As for complex passwords, I suggest making strong passwords optional but put the password strength indicator there, just to warn them.
all true… I have all that…
http://www.spymac.com/details/?2331359
Good points.
Thanks. I had to hunt around for the marketing preferences tab in yahoo, but I was glad to find it so I could opt out.
I disagree with not confirming email address. If you don’t make users confirm their email address, you will end up with a lot of returned messages to incorrectly typed email addresses and fake email addresses. Only a few people will use disposable email address, but they should not be your concern.
In addition, it also depends how selective you are in signing up users. If you just want quantity on the expense of quality you can forgo email verification but for the most part you probably don’t want users who are either too lazy to make a couple of extra clicks or too dumb to type their email address correctly.
Everything but 4 has to do with computer security.
Many times in the past I had someone register for a web account using my email address and I was never asked to click for registration. Some idiot, maybe an ex-coworker or someone I debated with on some political forum, used my email address on dating web sites, and other sites and I keep getting responses to their postings, despite I don’t have access to those accounts. In some cases I was able to get their password changed and cancel their web accounts because I got the password emailed to my email address. But none of those web sites asked for confirmation email to verify that it was really me who registered the account there.
I’ve also had web sites where someone did a brute force attack on my password and signed in as me, because the web site wouldn’t allow me to use more that 8 digits for a password.
Not only that, but anyone can easily guess my name if I use an alpha numeric login name, instead of a series of digits.
What you posted is beyond stupidity, and only really really stupid people don’t want email confirmation, don’t want complex passwords, don’t want digits instead of a user name. The type of people who have no business on the Internet in the first place.
Number 4, about not having an opt-out feature is the only thing that makes sense and isn’t stupid beyond belief. Everything else sets a new record for stupidity on the Internet.
If you want 1 to 3 to go away, you are so stupid because any script-kiddie can crack your account and pretend to be you. I suppose you are some sort of left-wing retard that values freedom over security, in that case you deserve some script-kiddie stealing your accounts and identity. As for me, I’ll take security over freedom, because I am smarter and know better than you. I am not some retard like you who cannot remember digits and complex passwords or doesn’t know how to click on links in email to verify accounts.
Before the masses arrive to boo #2…
Yes, really, 90% of the websites out there need to drop all password complexity requirements entirely. I could give a thin damn if someone hacks my Digg account - you’ll get nothing but my bogus, made-up misinformation anyway. I never tell the truth online unless there’s a legal transaction involved, or it suits my interest. I’m especially sick of having to become a member of every site with a new username and password every two clicks.
While we’re at it, webmaster, why does every blog out there have an email field on the comment form? You know we just type baloney in there, right?
You should really put some left padding on your blog. It would make it much more readable.
Re: #2, you’re database probably should not have any clear-text passwords in it to begin with - salt and stir sir!
hmmm….
I am not sure that you know what you are talking about. I am being polite of course.
I somewhat agree with points #1 and #4. Heck, I agree completely on #4. But with #1 I take a different point of view: logging in by account number is practical albeit somewhat cumbersome to the average user. However from a company point of view what is the most relevant piece of information that ties a login with a person? Their account number of course. Having a customer log in with an account number makes sense. From a cost perspective why would a company use anything else? Using the account number allows for a rapid rate of adoption based on a tangible and absolute piece of data. If you forget your account number it is printed on all of your bills. The account number binds the customer to their login. It just “makes sense” ™.
I strongly feel you are “off-base” with the password requirements (#2) and “not thinking it through” on the email verification (#3). There I go being polite again!
Weak passwords are a no-no. They are entry vectors into an application and are jubilantly welcomed by hackers. I am sure you have seen the explosion of “catchpas”; do you ever wonder why they have become the standard? If you have not answered yet let me boldly underline the ingenuity of hackers to expose and manipulate the weaknesses of computerized systems. And yet you propose to make it even easier for people to hack your application? I politely and strongly disagree.
Your opinions on #4 caused me to laugh out loud. In a good way of course. Having a user validate themselves not only safe-guards your service/application from abuse but also increases the value of your offering. Anyone who sees enough value in your offering will take the steps to validate themselves.
So in summary:
#1) makes sense to log in by account number; possible workarounds? perhaps.
#2) soooo many bots out there… Enforce password complexity - not too complex but certainly better than “Ben”. Stop being lazy - develop some good habits. God (or insert here) knows you do not want your friends/enemies/co-workers/life parter/government being able to “easily” access all of your logins…
#3) Verify the user and increase the value proposition. Make the hoops easy to jump through but make them prove they want what you have to offer.
#4) I totally agree. You hit the nail on the head.
Cheers!
[…] The top 4 things you should never do to your users : Codeulate. […]