Login friction

24 Jun 2008

Signing into a site that you have already registered with should be a smooth experience, but I've recently been frustrated by my own lack of foresight. I have three different email addresses that I use to sign up for various services on the web. I have a Yahoo address that I've had forever, a Gmail address, and my Six Apart address. Unfortunately, I haven't been as careful as I should have been about which address I use to register and I sometimes find myself having to try each of those addresses (and a couple of different passwords) in a frustrating attempt to login to sites that I visit relatively often.

This is a case where the assumption has been made that people know their email address (which is usually a pretty solid assumption), but in my case I've created friction for myself by not using the same email address every time.

It's my own fault, I know, but there is a way that sites can help me with this problem: tell me whether the email address is wrong or just the password is wrong. If the email address that I've entered exists on the system don't just give me the generic "Login is incorrect" message. The error messaging should state either "This email address does not exist on our system" OR "The password you have entered for this email address is incorrect." I know that would make my life a little easier.

Posted by Jim Ramsey on Tuesday, June 24, 2008 at 2:39 PM

Filed in and tagged , ,

Bookmark and Share

5 Comments

"The password you have entered for this email address is incorrect." would be the best move because it's informative but doesn't tell you anything about the data. In other words, with the message "This email address does not exist in our system" you're given an attacker too much information. So while I agree that messages should be more informative, any clues as to which piece of login data is wrong is just a sign on your door that says, "ooh, you can make progress easily if you attack it."

Andrew Gwozdziewycz | June 25, 2008 3:02 AM | Reply

I still think you are giving people too much information by even confirming the email address is a valid one. People can then easily use your system a) in a dictionary attack against your account, or as a way for spammers to validate email addresses.

This is tricky problem though and one that is not easily solved by language and copy alone...

Byrne Reese | June 25, 2008 6:20 PM | Reply

I don't have anything substantive to add, but really just wanted to try out commenting.

Author Profile Page Anil | July 25, 2008 2:02 PM | Reply

You guys are right, of course. Security does need to trump usability sometimes.

Author Profile Page Jim Ramsey | July 25, 2008 2:07 PM | Reply

Thanks for your honesty Anil :)

Author Profile Page Jim Ramsey replied to comment from Anil | July 25, 2008 3:16 PM | Reply

Leave a comment

Gallery

Prev Next

Recent Entries

  • Interview with Pattern Tap creators

    Pattern Tap collects the best examples of user interface design from around the web and allows users to create and save sets for their own...

  • Aurora

    This week Adaptive Path released the first of four concept videos for Aurora, a next-generation browser experience, as part of the Mozilla Labs Concept Series....

  • New theme for MT

    I'm pleased to announce that the new design you see on this site is also available as a Movable Type 4.2 theme! You can download...

  • Book Recommendation

    I've purchased lots of books about web design over the last year but one of the most useful has been Dan M. Brown's Communicating...

  • Designing feed content

    I subscribe to feeds for several web design gallery sites and I've noticed an interesting difference in how two of those sites have designed the...

Close