++ The Perfect Login: gentle, polite, humble, optional I find most login/register web pages annoying. My goal here is to build a kind of "check-list" of good practices when designing a login/register web page. This page is a reference page, not a blog post. I keep it updated. Table of Content (kinda) Intro Make it optional Combined Sign-In & Sign-Up Login log Text input, No Flash Country best effort auto-detect Language selection Name & Id Passwords Mutable ID Empty password Empty ID ToDo: CAPTCHA, OpenID. Email validation Password recovery Recommended readings Comments +++ Introduction Some people say that Web design is an art. I agree, somehow. Yet I am often amazed by the lack of, let's say, "humility" of some young designers. Is it because they are "artists"? I hope not! One recurrent case is login and register pages. It is as if "they" knew as certain what is right and what is wrong, whereas they would probably act in a more humble way if they were more educated on some unexpected (for them) usages. So, here is a check list about what a gentle login/register page could be. I may be very wrong, that's why there is a "Comments" section at the end of the page. Feel free to use it. +++ Optional registration Before committing to a mandatory register, please ponder the pros and cons. Registration is a burden. Sometimes it is worthwhile. Some times it is not. At first the user has no clue and often no time to waste, chances are some users simply skip. Maybe you can provide some useful services without requiring registration? Then you create an incentive for a stronger connection with the user, who decide to make an additional step and register. +++ Optional login Please don't assume that a full blown login is a must. If my computer is in a locked room, maybe a cookie based security is enough in some simple case? Maybe you can provide (using https preferably) a secret bookmark that the user can store and then use to reconnect? If you show me say the last ten connections, I will very easily determine if the security of my account is compromised and then I may decide to protect it more carefully. The need to provide write protection for data is sometimes solved with some wiki like "rollback" feature, where the user can revert unwelcome changes? +++ Login and Register combined I register to so many services, I lose track of them! Of course I often use the same user id and password. I most always use the same email address. I know that this is not the best security practice, please don't lesson me. When I login to a service that I wrongly think I am already registered to, I would rather not have to enter my user name and password again when I then decide to register. So, when I login, please assume that I want to register! And, when you detect that I am a new user, please pre-fill the register form with whatever info I already typed in the login form. +++ Log logins The ability to monitor who accessed my account is a security savior. It makes me feel good, safe, protected. Additionally, maybe you could remind me about what I did last time I logged in? That would put me back in context. And please, when I land following a deep link, put me back to that page after I agree to login. I don't like it when I am required to login only to be directed to some arbitrary page that is *not* the one I wanted in the first place. +++ Don't Flash me bro! I suspect that I am not alone using Firefox extensions like InFormEnter. They make it easy to pick an entry in a preselect list of answers. I almost never type my user name or password. Unless... some annoying Flash site insists on that. That is why I prefer sites that stick to regular HTML form as much as possible. +++ My country counts I know that France is number 98th alphabetically. Yet, I feel like it would make sense to have it listed number 1 on French sites, and in the top 10 else. Besides, my IP tells you my country, doesn't it? Some probability/heuristics makes life easier sometimes. +++ I speak English It is not because I live in France that I want a French UI. I would actually rather have the original English UI rather than an half baked translation. Plus, I know English speaking people that live in France. Country does not equals language. +++ My long name is part of me I login jhr, jhrobert or, more often, JeanHuguesRobert. That later one is apparently too long for some sites. Who are they to decide what it too long? Please don't restrict the length. And please be flexible and respectful with Uppercase, - dash and other special characters, they are very valid in some countries. +++ DarkKnight33 is not my name forever I will eventually change my user id, moving away from a childish one for example. Those services that do not allow me to change my "name" will say bye bye to my account. +++ Email is an id too Login using my email address is convenient. Unless there are multiple account with the same email address but different ID, I should have the same success using one or the other. Better yet, let me specify multiple email adresses, because I may switch to a new one at some point. +++ Don't pass on my password Sure, 123 is not the best password ever. But I am in charge. So please accept my password, because you have no clue why I keep it "weak" as you say. +++ My password is my choice Please don't impose "intelligent" rules about what my password should be. If I want only digits, it is my choice. +++ Don't ask for my password twice! If I provided a wrong password, I will soon detect that next time I login. And the "Lost password" link is there to help me. +++ Empty email address is OK Lower the barrier to entry, don't *force* me to provide you with my email. Maybe I don't trust you enough yet? Or maybe I barely want to try your service? Or maybe I cannot enter it right now? Who knows? +++ Empty password is OK A blank password makes sense sometimes. I appreciate your warning, but please obey me. +++ Empty user id is OK sometimes When I get back to you, I like it when you detect that I am a returning user. I don't like it of course when the next user on this PC gets the same treatment. Maybe it is OK to ask for my password again, but can't you accept my empty user id? Just call me Anonymous84726, that's OK sometimes. +++ Unobstrusive Email validation During registration, I would normally prefer not to have to go to my mailer to check for an email validation message (that often takes quite a long time to arrive). It breaks my flow. Don't assume I will read my mail right now ; leave me enough time, a week maybe. If it is absolutely necessary to activate an account before using it, then please make sure that I don't have to login again when I validate my email address by clicking on a link. +++ A registration is worth a login. Don't tell me this: "Your activation is completed. Now you may log in" -- It makes me crazy. +++ Password recovery Some annoying sites require both the ID and the email before sending a mail with the password (BAD) or some recovery URL (good) in it. They should instead require either the ID or the email, not both. It is easy to forget about one's ID, specially when it was created to comply to some local to the site arbitrary rules. So don't forget the ID recovery too! The only thing I remember is my email address (or one of them). Update: maybe I don't use email adresses so much, maybe Facebook and Twitter are what I would like to use to login. ToDo: Password recovery is a complex issue when a high level of security is required. +++ Email address changes I know countless people who initially had an ISP provided address and then later, when they moved to a new ISP, had to change to a more neutral address, such as a yahoo or gmail address. Consequently it is important to provide an UI to change the email address attached to an account. That same page usually allow for changes to the password too and to the ID sometimes (too rarely). +++ Recommended readings "About Face 2.0" by Alan Cooper. a guest -

Your name maybe: