Everyone has their pet peeves. I am not a usability expert and for a software engineer I am not particularly adept at creating dazzling user interfaces (UI). But I do appreciate well designed UIs. I wanted to call out some of the poor login experiences I know of. I understand that login screens are probably one of the first screens designed on a site. And it could be forgotten amongst the other parts of a site. But it will be one of your most trafficked pages. I don’t think I have ever stopped using a site because it had a poor login experience. But a part of me dies inside each time I logon to those sites.
Why can’t I just login with my email address?!? It guarantees uniqueness and you ask for it anyway, so you can email me. Now I have to make up some funky unique name like MarkStevens1234, which god forbid if I ever have to remember it. Well Mark Stevens might have to. But you get the point.
I am okay if the login accepts both email and username. But please state that.
Many banking sites do this and I guess they use this as an extra layer of security. I am not 100% if I buy that argument. A username could probably be guessed pretty easily by knowing the email address of a person and/or other usernames they use.
Don’t believe me? Try taking firstname.lastname@example.org. Probably won’t be available. Neither will mark5 nor mark100.
Examples: www.401k.com, www.wellsfargo.com
2. Arbitrary Numbers as a Login ID
Even better! Now I have to remember a number that I couldn’t guess if I my life depended on it. I just hate this. It’s like 2 passwords. How about a longer password?
Examples: www.arbonne.com, www.capitalone.com
3. Short Password Lengths Limits
It is absolutely baffling that some sites limit passwords to 8-12 characters. Longer passwords are more secure. So why would they limit them? This is the opposite direction we are supposed to moving. The only excuse I can see there being is that it is a legacy system. I can’t think of any other reason out of pure laziness. It is not hard to widen a database column from 12 characters to 24/32/64 characters.
TD Canada Trust finally fixed this on their site. Here is an image of their site a little while ago.
(EDIT: July 28, 2013)
Pink Dot @ 247waiter.com. A piece of me died inside.
4. Improper redirecting post login
If you are clicking on a link from an email and you need to sign in. You expect that you will be taken to the page you wanted. I hate sites that always take you to a standard page. Now you need to hit back a few times or re-click the link. Premier League website does this.
5. Plaintext passwords
After signing up for a site, some sites send you an email with your password in plaintext. Nice.
Many people believe email is a lot more secure than it is. And it isn’t insecure because people break into accounts. Anyone reading traffic from the millions of internet nodes could be reading emails that are being sent through them. I have signed up for a few sites that send passwords in plain text. plaintextoffenders.com has a great list though!
6. Login with Facebook
I hate the way they do this. This will not be widely accepted until you can use the mechanism without giving the app/site permissions to your Facebook account. I almost never use it unless I want the app interacting with my account. They should allow you to choose what permissions you allow. Many times these apps ask for a lot of permissions. If they do these things, they will be used much more.
Login experiences are getting better. Most follow a pretty standard template. But there is still this big problem of remembering passwords and following the rules of secure passwords. It takes too much time and effort. I like ideas like OpenID. Password saving plugins are good too, like LastPass.