Blog & articles

Last year Jakob Nielsen created a bit of a stir in the web community with his article stop password masking.   In the article he quite rightly points out that only displaying a list of bullets as the user types in their password creates uncertainy about whether the password has been entered correctly and results in failed logins.  He calls for the use of clear text when entering passwords so users can see if they have mistyped a password.

This caused a lot of controversy as it places the usability of the users interaction before security considerations and challenges an established convention.  However, as he points out, many people are accessing sites in situations where they are not over looked and making it more difficult to enter passwords may causes users to choose simpleless secure passwords. This is particularly true with mobile devices where users often enter shorter passwords to make it easier as they have a numeric keypad.  He also argues that obscuring the password does little to protect the password anyway since if someone wants to work out your password they could always look at the keyboard.  However, if the password is on screen it is certainly easier to see from a distance if for example you are working in a open plan office.

His objection may be correct, many people will be entering a password in a situation where they are not overlooked and making it difficult for these users just because some people are does not necessarily make sense.  However, failing to mask password characters may have wider implications.  As the site does not mask the password it may create the perception that the user does not need to safe guard this information resulting in more careless behaviour.

Jakob is aware displaying the password may not be ideal in all situations and suggests that a control could be provided allowing users to select to hide their password.  This approach is currently used within windows network settings and some WiFi software.  In a recent article on list apart Lyle Mullican explores this approach in more detail.  However, theapproach places the responsibility for managing whether the password is displayed with the user and adds complexity.  It is also a modal control (the user selects either to display asterisks or actual characters) which can cause usability issues.  For instance, the user may start typing the password without realizing it is being displayed revealing it to those around them.

IE 8 password entry dialogue allows the user to select whether the password is shown.

Chris Coyier in his article Better Password Inputs, iPhone Style suggests doing something similar to what is done on the ipod touch/ iphone interface where only the last letter is displayed on screen. This is fine for a mobile device where the user can take steps to ensure no one is looking at the screen while they input the details but may be an issue when displayed on a monitor.  Users may also fail to notice mistakes when they press another key immediately after they mistyped.

An alternative approach which addresses many of the issues is to hide the password by default but provide a button that when held down reveals the password.  Although the user doesn’t receive immediate feedback they have the option to check their password before submitting and the user could hold the button down while typing if required.  This approach highlights the importance of keeping the password secret and only shows it when the user expressly indicates it is safe to do so.  It also removes the chance of users accidentally revealing their password.  This is not necessarily an ideal solution in every case and there will be instances where it is best to display the password in full by default.  However, assuming thew user is entering a password in a private office or passing all responsibility for safe guarding secrecy to the user are not ideal whatever the usability issues.

CAPTCHA is a method designed to prevent automated programs from submitting information to a website.  It can help prevent these malicious programs registering with sites, posting spam comments or getting up to other undesirable activity.  CAPTCHA stands for Complete Automated Public Turing test to tell Computers and Humans Apart.  It works by requiring the user to enter a code displayed within an image.  Images are usually distorted to prevent programs from using image recognition software from recognising the codes.  This can also make it difficult for users to accurately work out what characters are displayed.  For example, the following completely illegible CAPCHA image appeared on flickr.

The reason for these images becoming more and more difficult to decipher is that the programs used to place spam become more sophisticated in order to overcome the obstacles placed in there way.  Gmail, yahoo and hotmail have all had their CAPTCHA images broken by spammers and although it is fairly easy to present a image in a different way it does mean they have to be fairly obscure.

Gmail, yahoo and hotmail’s CAPTCHA broken by spammers

This method is fairly widely used on the internet but places the emphasis on the user to prove they are not a computer program.  There are alternatives to this approach for instance akismet looks at content submitted to a web site and assesses it against various criteria to determine whether it is likely to be spam.  Flagged content can then be reviewed by the administrator.  Similarly anti-spam programs can be used to filter out spam sent from contact forms rather than making it more difficult for customers to contact you.

Honey pots are another method that can be used on forms to help prevent submissions from malicious programs.  This involves placing extra fields within a form that will be invisible to your users.  As the programs do not view pages in the same way as users they tend to complete these fields meaning you can reject these submissions. Ned Batchelder’s article Stopping spambots with hashes and honeypots covers the use of honey pots to prevent spam in more detail.  It also indicates how to make things even more difficult for automated spam programs by randomising field names and using the submitters IP address to prevent automatic submissions from groups of machines.

These methods can do a lot to help minimise misuse of your site by malicious programs.  However, to some extent it will depend on the value of your site to spammers.  Gmail, yahoo and hotmail have seen their CAPTCHA images broken as it is worth the effort in order to get large numbers of programs automatically registering email accounts and sending spam.  Honey pots on there own will be easier to overcome if there is good reason to do so, although Ned Batchelder’s full method is likely to be more difficult.  You can reduce the value of overcoming your defences by doing things such as using no follow links in comments on your site so they will not improve search engine rating.

The main thing is not to use CAPTCHA indiscriminately on forms.  There may be some situations where it is useful particularly if the returns for beating your defences are significant.  However, in the majority of cases you are creating a barrier for the people using your site.

According to a study carried out by Southern Illinois University men consider download speed to be more important than women do. 301 undergraduate students were surveyed about the relative importance of a range of usability criteria. Both men and women considered ease of use to be the most important. However, men indicated that download speed was the next most important while women rated accessibility and navigation as more important.

The researchers have suggested that this difference may be a result of differences in the way men and women use the web, with men using it for information gathering and women using it for social relationships. However, it is unclear whether this expressed preference will actually have a bearing on behaviour. Just because women say it is less important does not mean they are necessarily more likely to remain on a site with large delays. Neither does it indicate what men and women consider a slow download speed.

Usability Study: Men Need Speed

The use of abbreviations, acronyms and technical language often serves to confuse users as it requires specialist knowledge. In a recent study the gadget helpline surveyed more than 5000 people to discover the least understood technical terms. The top ten most confusing include dongle, cookie and WAP. Interesting digital TV also appears in the list given the amount spent promoting the digital switch over. May be the range of television services, such as freesat, on demand TV, sky and sky plus, make it unclear which are included in digital TV. The study also highlights how brand names for technology can further confuse things creating multiple terms for the same technology.
Gadget jargon still confuses many

Measuring apects of real world behaviour often reveals correlations between different variables.  Correlations indicate the strength and direction of the relationship.  For instance, there may be a correlation between the length of the page and time spent on a site. However, it is important to remember when looking at correlations that they do not prove one variable is responsible for another.  One may cause the other, the other way round or they may both be affected by a third factor.  In the case of page length and time on site, users may be spending longer on the site as there is more to read or because it is harder to find what they are looking for.  It may also be that sites with longer pages have something else in common that mean users spend more time, such as more related content to which users can be directed.