Archive for the ‘Interaction design’ Category

The problem with displaying passwords

Tuesday, March 2nd, 2010

Login fields with hidden password controlsLast year Jakob Nielsen created a bit of a stir in the web community with his article stop password masking.   In the article he quite rightly points out that only displaying a list of bullets as the user types in their password creates uncertainy about whether the password has been entered correctly and results in failed logins.  He calls for the use of clear text when entering passwords so users can see if they have mistyped a password.

This caused a lot of controversy as it places the usability of the users interaction before security considerations and challenges an established convention.  However, as he points out, many people are accessing sites in situations where they are not over looked and making it more difficult to enter passwords may causes users to choose simpleless secure passwords. This is particularly true with mobile devices where users often enter shorter passwords to make it easier as they have a numeric keypad.  He also argues that obscuring the password does little to protect the password anyway since if someone wants to work out your password they could always look at the keyboard.  However, if the password is on screen it is certainly easier to see from a distance if for example you are working in a open plan office.

His objection may be correct, many people will be entering a password in a situation where they are not overlooked and making it difficult for these users just because some people are does not necessarily make sense.  However, failing to mask password characters may have wider implications.  As the site does not mask the password it may create the perception that the user does not need to safe guard this information resulting in more careless behaviour.

Jakob is aware displaying the password may not be ideal in all situations and suggests that a control could be provided allowing users to select to hide their password.  This approach is currently used within windows network settings and some WiFi software.  In a recent article on list apart Lyle Mullican explores this approach in more detail.  However, theapproach places the responsibility for managing whether the password is displayed with the user and adds complexity.  It is also a modal control (the user selects either to display asterisks or actual characters) which can cause usability issues.  For instance, the user may start typing the password without realizing it is being displayed revealing it to those around them.

IE ISP password dialogue

IE 8 password entry dialogue allows the user to select whether the password is shown.

Chris Coyier in his article Better Password Inputs, iPhone Style suggests doing something similar to what is done on the ipod touch/ iphone interface where only the last letter is displayed on screen. This is fine for a mobile device where the user can take steps to ensure no one is looking at the screen while they input the details but may be an issue when displayed on a monitor.  Users may also fail to notice mistakes when they press another key immediately after they mistyped.

An alternative approach which addresses many of the issues is to hide the password by default but provide a button that when held down reveals the password.  Although the user doesn’t receive immediate feedback they have the option to check their password before submitting and the user could hold the button down while typing if required.  This approach highlights the importance of keeping the password secret and only shows it when the user expressly indicates it is safe to do so.  It also removes the chance of users accidentally revealing their password.  This is not necessarily an ideal solution in every case and there will be instances where it is best to display the password in full by default.  However, assuming thew user is entering a password in a private office or passing all responsibility for safe guarding secrecy to the user are not ideal whatever the usability issues.

Alternatives to CAPTCHAing users

Monday, May 18th, 2009

CAPTCHA is a method designed to prevent automated programs from submitting information to a website.  It can help prevent these malicious programs registering with sites, posting spam comments or getting up to other undesirable activity.  CAPTCHA stands for Complete Automated Public Turing test to tell Computers and Humans Apart.  It works by requiring the user to enter a code displayed within an image.  Images are usually distorted to prevent programs from using image recognition software from recognising the codes.  This can also make it difficult for users to accurately work out what characters are displayed.  For example, the following completely illegible CAPCHA image appeared on flickr.

flickrcapcha

The reason for these images becoming more and more difficult to decipher is that the programs used to place spam become more sophisticated in order to overcome the obstacles placed in there way.  Gmail, yahoo and hotmail have all had their CAPTCHA images broken by spammers and although it is fairly easy to present a image in a different way it does mean they have to be fairly obscure.

Gmail, yahoo and hotmail’s CAPTCHA broken by spammers

This method is fairly widely used on the internet but places the emphasis on the user to prove they are not a computer program.  There are alternatives to this approach for instance akismet looks at content submitted to a web site and assesses it against various criteria to determine whether it is likely to be spam.  Flagged content can then be reviewed by the administrator.  Similarly anti-spam programs can be used to filter out spam sent from contact forms rather than making it more difficult for customers to contact you.

Honey pots are another method that can be used on forms to help prevent submissions from malicious programs.  This involves placing extra fields within a form that will be invisible to your users.  As the programs do not view pages in the same way as users they tend to complete these fields meaning you can reject these submissions. Ned Batchelder’s article Stopping spambots with hashes and honeypots covers the use of honey pots to prevent spam in more detail.  It also indicates how to make things even more difficult for automated spam programs by randomising field names and using the submitters IP address to prevent automatic submissions from groups of machines.

These methods can do a lot to help minimise misuse of your site by malicious programs.  However, to some extent it will depend on the value of your site to spammers.  Gmail, yahoo and hotmail have seen their CAPTCHA images broken as it is worth the effort in order to get large numbers of programs automatically registering email accounts and sending spam.  Honey pots on there own will be easier to overcome if there is good reason to do so, although Ned Batchelder’s full method is likely to be more difficult.  You can reduce the value of overcoming your defences by doing things such as using no follow links in comments on your site so they will not improve search engine rating.

The main thing is not to use CAPTCHA indiscriminately on forms.  There may be some situations where it is useful particularly if the returns for beating your defences are significant.  However, in the majority of cases you are creating a barrier for the people using your site.

Most product returns aren’t due to problems

Saturday, June 28th, 2008

According to a study by Accenture in the US, reported by the PC World site, only 5% of electroninc products returned to retailers were due to them malfunctioning.  The study suggested that 27 percent of returns were due to buyers remorse, however a massive 68 were due to the products failing to meet there expectations.  This was either due to the customer thinking it was defective when it wasn’t or not behaving as expected.  With return rates at between 11 and 20 percent this represents a massive number of items returned as they do not provide a satisfactory user experience.   This may also be partly due to the way electronic products are bought.  Often the customer purchases online or in store without first interacting with the product. This may result in users being less forgiving if they experience difficulty as they have already paid for the product.

Most Returned Products Work Fine, Study Says

Dilbert 2.0

Friday, April 25th, 2008

Recently dilbert.com has updated their site introducing a new design, structure and functionality.  The site makes use of some very innovative user generated content, such as mash ups an area where users can suggest new punchlines and vote for the best ones.

User generated content can have several advantages, it involves users in the site, means content is frequently changing and can encourage users to promote the site to others.  However, it also has a down side in that it can provide the opportunity for those dissatisfied with your brand, site or actions to speak out.

Chevy discovered the negatives of user generated content when they tried to get people to create their own adverts for the Tahoe using video clips and music they had created. People used the clips to bash Chevy and the fuel economy of there vehicles. Although not as extreme, users could be seen using the mash up functionality to criticize the site this week.

Feedback on the dilbert site

A user has used the cartoon above to post the message “Who cares about mash ups? All we want is a simple fast web site to read Dilbert! This new site sucks. Bring back the old web site!!”.

It isn’t uncommon for site redesigns to have some negative responses even if improvements are for the better. Regular users get use to where content is and the design and are put off by change. This is one of the reasons why it is important to manage change, informing users what’s happening, introducing ways to feedback and when possible making incremental changes.

This comment also highlights an important point, just because there is extra web 2.0 features does not mean users are willing to put up with poor performance on key functionality. Why it was decided to display the cartoons on the home page within a flash area is incomprehencible when an image would do much the same job more efficiently. The use of the ‘beta’ will also do little to appease users when they had a perfectly good site before.

Tag cloud search

Thursday, February 28th, 2008

Web search engine Quintura has introduced a tag cloud to its search results allowing users to see associated terms. Interesting this allows the user to excude terms that are not relevant to their search easily quickly reducing the number of results and increasing the relevance.

Quintra site search

The search seems to be a bit hit and miss currently. Sometimes when I excluded words I thought had nothing to do with my search sites I thought highly relevant disappeared. However, the functionality is interesting and allows the user to easy search by excluding irrelivant content filtering results.