I graduated with a CS minor from the University of Virgina in 1992. The reason it's a minor and not a major is because to major in CS at UVa you had to go through the Engineering School, and I was absolutely not cut out for that kind of hardcore math and physics, to put it mildly. The beauty of a minor was that I could cherry pick all the cool CS classes and skip everything else.
One subtle tweak⌠the Sign In and New Account buttons should have some space between them, to reduce the chance of a misclick. And the âexpectedâ action should be the one directly below the name/password fields.
I find it kind of weird that the âLoginâ button looks different in different places:
Once, itâs an open lock, and once a person. Is there any particular reason for that?
All very good points, and it leads to a discussion about passwords in general. Pet hate of mine is websites that donât allow anything other than alphanumeric characters, to my mind the site itself is not secure when they wonât let me use ! in the middle of my password string.
Have recently had to give up an account because the site decided that a few failed login attempts (thanks to a 2 year old) was a security risk, so they changed my password for me (gee thanks). They wonât show me all of the email address although from what they did show me I could figure out which one it was - and their forgot password email never arrives (apparently a common problem with this very large site). Naturally of course there is no way to contact anyone there either.
And in a site I run I often get people trying to be reunited with accounts where they have no matching information, yet they claim that they are the owner but they used false info for privacy reasons - if all Iâve got to go on is an email address, first name and birthdate and youâve changed those then Iâm not giving you this old account! Iâm setting up a page of security questions to hopefully tackle that in the future.
I you donât respect the {USERNAME}{TAB}{PASSWORD}{ENTER} sequence on your login form, me and my friend KeePass will be constantly looking for another alternative website. That and also making sure the title of your login page includes your websiteâs name and not only a generic âLog Inâ title.
This is awesome. Thank you. Iâll keep those in mind for the future as currently I have no websites with this problem as I just leave them behind hehe. And I have more than 400 entries in KeePass
Seems like a bad idea; a lot of people use Caps Lock as an âeasier wayâ to type lots of characters in capitals. And they may not use it consistently. When they didnât use it when signing up or changing their password but they are using it now, you will get a mismatch and youâll be punishing them for not being consistent. That would be bad form.
A lot of users end up being behind the same proxy exit servers, and thus having the same small pool of IP addresses - back in the day, AOL was the biggest offender here. Be careful that rate-limiting bad logins by incoming IP address doesnât make life hell or at least very confusing for these users. Perhaps make it based on the combination of email address -PLUS- IP address.
Another one that drives me nuts is the auto-caps of the first letter in a text input applied by Mobile Safari: giving the browser an indication that the field is an email or username is a must.
Ok, I guess I am Frank9 here. yuckâŚAnywaysâŚI liked this post Jeff. I am going to refer to this when I revise my login system to my CMS tool. I am dealing with an incremental rewrite with a designer in a few weeks and it definitely short circuits whats important and what is better than acceptable (I usually donât have the luxury to think about this stuff the way you guys did). So you taught me something useful todayâŚI canât wait to see what else is up your sleeves on future projects. I have come to the conclusion that you and Sam and the Troutfish, make the internet a better place. Optimal Tip to Tip Efficiencies here. (second to last sentence is a honest sentiment and the wording came out funny, and the last oneâŚwell you get the joke(segway);
Regarding your email is your identity⌠I think, youâre identity is your identity. Email Twitter Facebook these are best considered - not identities but means of verifying your identity. So your âidentitly recordâ in a system is related to each of those, but not one of those defines it. For a long time I thought using email address as your de-facto identifier as a login name made good sense.
Iâm an older guy (w/ a teenage daughter), and its striking to the extent email is becoming much less relevant to the younger generation. They will inevitably have all of Twitter, Tumbler, Email address, and mobile phone number, but keying in on one as the God âidentifierâ if you will feels a little off.
The box with login w/Twitter, Facebook, etc⌠seems the right solution for the present, but still feels not quite right, at least not totally elegant. A universal standard for internet identification of course would consolidate and simplify things, but not just the adoption by so many providers, but the concerns about privacy and tracking etc⌠would seem difficult to even get off the ground.
One thing thatâs always bugged me is forms, like the Discourse one, that effectively have login and register on the same form but if I put my name/pass in one form donât carry them to the other.
In other words, I see both âlog inâ and âcreate new accountâ at the bottom. I type my username and password and click âcreate new accountâ expecting it to create a new account with the name and password I just typed. Instead it says Haha for typing your name/pass and clicking âcreate new accountâ. Instead Iâm going to discard what you just typed and make you type it again because that misleading button actually leads to a different form. F.U!
WHY!!!
First you mislead me by putting 2 buttons that look like actions but one is not the action it claims it is. Itâs not going to âcreate a new accountâ itâs going to âswitch to the create new account formâ.
Second you waste time type and throw away my work. This is especially infuriating if I happened to enter that on mobile where typing is super tedious, especially if my password follows some crazy rules.
It seems like copying the name/pass from one form to the other (or making them the same form and hide/un-hide the extra fields for registering) would be more respectful of the userâs time and slightly mitigate the fib that âcreate new accountâ doesnât actually create a new account.
Malicious humans or bots can already figure out if an email address or username exists in the system by trying to make a new account with that email address or username. I donât think there is any advantage to trying to hide that information here.