To the front pageThe Interaction Designer's Coffee Break - Weekly postings and quarterly articles about interaction design  
  To the front pageSign inTo the frontpageSearch in GUUUI postingsAbout GUUUI  

Account sign-in - 8 more design mistakes to avoid

Jared Spool shares 8 more design mistakes with account sign-in:

9. Not telling users the requirements for username and password up front

10. Requiring stricter password requirements than the NSA

11. Using challenge questions people won't remember

12. Not returning users to their desired objective after they have signed in

13. Not explaining users it's the username or password they got wrong

14. Not putting a register link when the sign-in is an error

15. Not giving the user a non-email solution to recover their password

16. Requiring more than one element when recovering passwords


Henrik Olsen - January 16, 2008

See also: Tips and guidelines (95)  Forms (30) 



Unfortunately, several of these design "mistakes" are essential security best practice.

Specifically, 10 and 13.

Secure passwords are obvious--they're just more secure. If there's any type of private information to be had with the user's credentials, it is worth it have a strong password.

As far as 13 goes, telling the user which one was wrong is helpful, unfortunately it's a pretty big case of information disclosure. For example a potential attacker can choose weak passwords, trying one by one, until the system tells her that a hit on a password that's in the system was made. Then it's just a matter of finding the light username, and those are much less well guarded than passwords. worst case, the attacker can cycle through possible usernames, secure in the knowledge that somewhere in the system there is a vulnerable user.

Michael Katsevman | January 23, 2008



Ad for TechSmith Morae

Browse GUUUI postings

Methods and the design process

Prototyping and wireframing (119)  Usability testing (68)  Cost-justification and ROI (27)  User research (23)  Personas (19)  The design process (24)  Eye-tracking (14)  Card sorting (13)  Web traffic analysis (12)  Expert reviews (11)  Implementing user-centred design (9)  Site and flow diagramming (6)  Envisionments (4)  Use Cases (3) 

Design elements

Navigation (63)  Web page design (40)  Search (27)  Text (24)  Forms (30)  Links (19)  Guidelines and Standards (15)  Site design (14)  Ads (9)  Design patterns (8)  Sections (8)  Shopping Carts (9)  Error handling (7)  Home pages (9)  Help (3)  E-mails (3)  Sitemaps (2)  Personalization (1)  Print-friendly (1)  Landing pages (5) 

General aspects

E-commerce (27)  Persuasive design (21)  Visual design (19)  Information architecture (15)  Accessibility (13)  Search engines (7)  Credibility, Trust and Privacy (6)  Emotional design (10)  Simplicity vs. capability (7)  Web applications (6)  Intranets (3) 


Flash (6)  Download time (5)  Javascript (3)  URLs (3)  Browsers (3)  Web standards (2) 


Bad designs (20)  Cartoons (14)  Fun music and videos (13)  Funny tools and games (12)  Misc humor (8)  Fun with Jakob Nielsen (9)  Designs with humor (3)  Fun posters (5)  Funny 404 pages (2) 

Resource types

Research (129)  Tips and guidelines (95)  Tools (106)  Books (47)  Audio and video (48)  Interviews (30)  Cases and Examples (28)  Talks and presentations (18)  GUUUI articles (11)  Primers (14)  Online books (5)  Posters (5)  Glossaries (3)  People and organisations (3) 

Information sources

Blogs (12)  Websites (11)  Discussion lists (4)  News (3)  Newsletters (3)  Online magazines (3)  Wikis (1) 

  To the front pageSign inTo the frontpageSearch in GUUUI postingsAbout GUUUI