If you want repeat visitors to your web site that requires a login, make sure your username and password requirements are not too stringent. It sounds simple, but with so many security breaches that have happened over the past few years, web sites increasingly demand what they call strong passwords. And while I understand the need for this at banking sites, if your site is simply serving content that is subscription only, I would argue that a super strong "unique" password policy is probably overkill. It's one thing for someone to get access to a user's account to read the latest refrigerator reviews; it's an entirely different story when someone can transfer your entire paycheck once they have account access.
The whole problem with strong passwords is not in the password itself, it is really the fact that a typical household today has over 15+ sites that require some type of login and even if a user wanted to use the same password, they often cannot. Users should try to use different passwords for different sites just so that a compromise of one site doesn't leave a user fully exposed to a hacker gaining access to all of their sites. While this best practice is good for 3-4 sites; anything above that and most users are forced to start reusing usernames and/or passwords. This leads to our second problem. Some sites allow you to pick your own username, some give you one based on a combination of characters in your name, and others just opt for your email address. Passwords can be just as problematic with some requiring that you always have a letter, or number, or one uppercase character, or disallowing passwords that start with a number. The list of requirements and restrictions can be endless. As a hardcore user of the Web I have resorted to having to keep a file just to maintain all of my usernames and passwords (I am easily over 30+ sites).
Now, If you are going to have some 'funky' requirements on your username and passwords, you absolutely must be clear with your users on what those requirements are. On a recent visit to Consumer Reports online, I came across the following registration screen. As usual, their password requirements did not allow me to use a common format I like, but what I really couldn't understand was the message around passwords being "case sensitive". If your values have to be all in lowercase then you should not even be able to submit a password with uppercase letters. If their system has the ability to distinguish case, then why not let me type a password with lower and upper case letters like every other site? I get what they're trying to say, but the message certainly made me pause on entry. Furthermore, because I use some upper case letters on every other site I login to, every time I visit this site I usually type my password wrong the first time. I end up mumbling, "Oh, I'm on THAT site again that doesn't allow uppercase letters." Having users remember strange passwords is just one more stumbling block to getting them to return to your site. Just look how much fun captchas are now. Keep that in mind when building out your requirements.
So, Consumer Reports, I love your reviews and they have saved me a lot of money over the years, but please standardize your username/password policy to be more in line with everyone else.
Comments