"Wrong password"

26 May 2006 - 1:27pm
8 years ago
6 replies
1047 reads
Billie Mandel
2005

Hi fab folks -

Straw poll of the day:
What are your favorite (and least favorite) error messages/error
handling scenarios for our oh-so-beloved use case, "user enters
incorrect password"?

Yours curiously,
- Billie

Comments

26 May 2006 - 1:44pm
livlab
2003

> What are your favorite (and least favorite) error messages/error
> handling scenarios for our oh-so-beloved use case, "user enters
> incorrect password"?

I was actually revising the text for this message as your email came in.
I'm assuming you are thinking of this use case for the sign in scenario,
not the creating a new password or editing an existing password scenario.

In the context of my app, I can only validate the form after submission,
so I'm returning a validation error message above of the authentication
widget (in this app there isn't much else on the screen).

These are my specs for this scenario:

MSG04. invalid_login
TYPE: validation
CASE: If authentication combination is not valid
(wrong password or user name does not exist)
TEXT: Your User Name and Password don’t match. Please check your
spelling and try again.

For context, here are the other related validation messages as well:

MSG01. login_name_blank
TYPE: validation
CASE: If user name is not entered
TEXT: Please enter your User Name.

MSG02. login_pass_blank
TYPE: validation
CASE: If password is not entered
TEXT: Please enter your Password.

MSG03. login_both_blank
TYPE: validation
CASE: If user name and password are not entered
TEXT: Please enter your User Name and Password to sign in.

26 May 2006 - 1:52pm
George Schneiderman
2004

A lot depends on how secure the site needs to be. At a bank, for instance, you will almost certainly want to follow security "best practices", which typically means error messages that provide very little specific information, such as the ability to distinguish between a non-existent username versus the wrong password for a valid username.

My feeling is that if the site doesn't need particularly high-level security, it is best to provide various error messages that do distinguish between those situations, and also to tell the user if the account in question has been locked due to an excessive number of failed login attempts, and also to warn the user how many more tries he has before he gets locked out. If the security profile of the site allows it, I also recommend using an error message that identifies the rules governing valid passwords, e.g., letters and digits only, case-sensitive, must be between 8 and 15 characters with at least one digit (a separate error message to handle a login attempt with a non-compliant password is probably overkill).

--George

-----Original Message-----
>From: Billie Mandel <billieslists at gmail.com>
>Sent: May 26, 2006 2:27 PM
>To: discuss at ixda.org
>Subject: [IxDA Discuss] "Wrong password"
>
>[Please voluntarily trim replies to include only relevant quoted material.]
>
>Hi fab folks -
>
>Straw poll of the day:
>What are your favorite (and least favorite) error messages/error
>handling scenarios for our oh-so-beloved use case, "user enters
>incorrect password"?
>
>Yours curiously,
>- Billie
>________________________________________________________________
>Welcome to the Interaction Design Association (IxDA)!
>To post to this list ....... discuss at ixda.org
>List Guidelines ............ http://listguide.ixda.org/
>List Help .................. http://listhelp.ixda.org/
>(Un)Subscription Options ... http://subscription-options.ixda.org/
>Announcements List ......... http://subscribe-announce.ixda.org/
>Questions .................. lists at ixda.org
>Home ....................... http://ixda.org/
>Resource Library ........... http://resources.ixda.org

26 May 2006 - 1:53pm
Bill DeRouchey
2010

>> What are your favorite (and least favorite) error messages/error
>> handling scenarios for our oh-so-beloved use case, "user enters
>> incorrect password"?

My favorite is in Mac OS X, the log in box shakes if you log in
incorrectly. It's shaking its head and saying, "uh uh, try again."

Bill

26 May 2006 - 1:57pm
George Schneiderman
2004

I recommend standardizing everywhere on "username" rather than "user name", thus eliminating any potential for confusion between the user's actual name (e.g. Jane Smith) versus her username (jsmith243). The potential for confusion may not exist in every context, but it is best to be consistent in your usage.

--George

-----Original Message-----
>From: Livia Labate <liv at livlab.com>
>Sent: May 26, 2006 2:44 PM
>To:
>Cc: discuss at ixda.org
>Subject: Re: [IxDA Discuss] "Wrong password"
>
>[Please voluntarily trim replies to include only relevant quoted material.]
>
>> What are your favorite (and least favorite) error messages/error
>> handling scenarios for our oh-so-beloved use case, "user enters
>> incorrect password"?
>
>I was actually revising the text for this message as your email came in.
>I'm assuming you are thinking of this use case for the sign in scenario,
>not the creating a new password or editing an existing password scenario.
>
>In the context of my app, I can only validate the form after submission,
>so I'm returning a validation error message above of the authentication
>widget (in this app there isn't much else on the screen).
>
>These are my specs for this scenario:
>
>MSG04. invalid_login
>TYPE: validation
>CASE: If authentication combination is not valid
> (wrong password or user name does not exist)
>TEXT: Your User Name and Password don?t match. Please check your
>spelling and try again.
>
>For context, here are the other related validation messages as well:
>
>MSG01. login_name_blank
>TYPE: validation
>CASE: If user name is not entered
>TEXT: Please enter your User Name.
>
>MSG02. login_pass_blank
>TYPE: validation
>CASE: If password is not entered
>TEXT: Please enter your Password.
>
>MSG03. login_both_blank
>TYPE: validation
>CASE: If user name and password are not entered
>TEXT: Please enter your User Name and Password to sign in.
>________________________________________________________________
>Welcome to the Interaction Design Association (IxDA)!
>To post to this list ....... discuss at ixda.org
>List Guidelines ............ http://listguide.ixda.org/
>List Help .................. http://listhelp.ixda.org/
>(Un)Subscription Options ... http://subscription-options.ixda.org/
>Announcements List ......... http://subscribe-announce.ixda.org/
>Questions .................. lists at ixda.org
>Home ....................... http://ixda.org/
>Resource Library ........... http://resources.ixda.org

26 May 2006 - 3:03pm
Josh Galban
2005

I think that's great advice. Depending on the context, I may take it a step
further and switch to a label other than Username or User Name. Such labels
might be: Login ID, Nickname, Screen Name, Member ID, etc.

I've occasionally observed users in usability tests that enter their first
names or full names in fields labeled "Username". The times I've seen this,
the testing involved a consumer website, relatively inexperienced Internet
user and formal usability lab. To avoid the confusion, I specify a different
label for this field unless it's already in use by a website/web application.

There are also scenarios, such as performing telephone customer support, where
a user may be asked audibly to provide a Username as an identifying
credential. The question, "What's your Username?" delivered over a phone is
subject to misinterpretation, especially by an end-user that's distracted.
That's not such a big deal for the end-user, but the call center operator that
clarifies the question 100 times a day (a) finds it a bit annoying and/or (b)
uses it as evidence that "users are stupid." :)

--Josh

------ Original Message ------
From: George Schneiderman <schneidg at earthlink.net>

I recommend standardizing everywhere on "username" rather than "user name",
thus eliminating any potential for confusion between the user's actual name
(e.g. Jane Smith) versus her username (jsmith243). The potential for
confusion may not exist in every context, but it is best to be consistent in
your usage.

--George

27 May 2006 - 3:32pm
Robert Hoekman, Jr.
2005

> The question, "What's your Username?" delivered over a phone is
> subject to misinterpretation, especially by an end-user that's distracted.
> That's not such a big deal for the end-user, but the call center operator that
> clarifies the question 100 times a day (a) finds it a bit annoying and/or (b)
> uses it as evidence that "users are stupid." :)

Perhaps the call center staff should be asking for "login id" instead
of a "username".

-r-

Syndicate content Get the feed