Account Sign-Ins: Broken in So Many Ways

Usability expert Jared Spool has written a couple of articles on how companies can avoid design mistakes on their web sign-in pages.  Here is his list of common sign-in problems:

  1. Having a Sign-in In The First Place
  2. Requiring Sign-in Too Soon
  3. Not Stating the Benefits to Registering
  4. Hiding the Sign-In Button
  5. Not Making "Create New Account" or "Forgot Your Password" a Button or Link
  6. Not Providing Sign-in Opportunities at Key Locations
  7. Asking for Too Much Information When Registering
  8. Not Telling Users How You’ll Use Their Information
  9. Not Telling Users the Requirements for Username and Password Up Front
  10. Requiring Stricter Password Requirements Than The NSA
  11. Using Challenge Questions They Won’t Remember In A Year
  12. Not Returning Users to Their Desired Objective
  13. Not Explaining If It’s The Username or Password They Got Wrong
  14. Not Putting A Register Link When The Sign-In Is An Error
  15. Not Giving the User A Non-email Solution To Recover Their Password
  16. Requiring More Than One Element When Recovering Password

Links: Account Sign-in: 8 Mistakes to Avoid,
8 More Design Mistakes with Account Sign-in

A few more suggestions (these might be rare but are really annoying!):

  • Don’t limit the number of tries people get.  Okay, maybe there’s some rationale for limiting it to, say, 100 to stop automated password sniffers, but limiting it to three is just silly.
  • Don’t use an account number as a user ID.  That makes it easy for the site to keep unique user IDs, but it forces the user to search through their e-mail every time they want to log in.  Ironically, this mistake is committed on the member site of the Usability Professionals Association.
  • Don’t change your system every two months.  It seems like every time I log in to some places they’ve got a new set of challenge questions, pictures, or some crap that just makes the whole thing slower and more frustrating.

I have had the worst web page sign-in experiences with medical sites.  I love that I can now access my records and communicate with my doctor online, but it’s so difficult to remember how to log in and I do it so infrequently that it’s a struggle every time.  Part of the reason may be the US HIPAA privacy regulations (which are
certainly important, don’t get me wrong).  My doctor’s site has extremely strict requirements for passwords and user IDs, and the only way you can get a reminder is by snail mail (and actually they assign you a new password, so you can’t sign in if you happen to remember it before the mail arrives).  So what happens to me is I’ll get a phone message or email that just says "you have a message — please log in."  I try to log in and fail, so I request a reminder.  Two weeks later I receive a new password in the mail but by that point I’ve already called them so I don’t need to log in.  The letter with the new password gets buried (or I choose a new password and forget it) and then months later I go through the whole thing again.  Granted I’m not the most organized person in the world, but this still seems tougher than it should.

See also this article by Anna Pickard in the Guardian today: Are you suffering from password pressure?