Get your error messages right, people.
Do you think I should end this year with a ranting? Well, you think or not, I’ll do, because it’s something that bugs me to no end, literally.
Just how difficult is it for a web application programmer to integrate two different types of error messages to his amazing login system? And by two types I mean:
The username you provided does not exist in our database, please retry.
…and…
The password you provided is wrong, please retry.
It’s not rocket science, it’s not even a politically correct way (and by politically I mean usability-wise) to signify login errors. It’s just two sentences that can help you decide if you’ve typed your password wrong or if you’ve selected the “other” nickname you use when you have signed up.
Latest culprit: The coComment site. After some months of absence, I decided to give it a try again. And this is what it greeted me with:
What did I do wrong? Was my username OR my password erroneous?!
Now I must go back and check my Hotmail and Gmail accounts, to check if there is any confirmation e-mail with my subscription data in it.
Hhhrmpf.
Happy New Year, everyone.
P.S. An excellent book to read, just to get your error messages (and more) right: Defensive Design for the Web. One of the best books I’ve ever read on web design, period.
usability, login error, defensive design for the web, error messages
December 31st, 2006 at 2:09 am
That’s why you click on “Forgot my password” link, use the powerful Gmail search and let Firefox store your passwords and forms.
I do love you sugar
December 31st, 2006 at 1:39 pm
Har har har.
Why should I do that, since with just one right error message, they’d put me in the right track and make me understand what’s wrong at a glance?
I love you too!
December 31st, 2006 at 2:33 pm
It’s one of those stupid things someone forgot to do.. or maybe it’s the implementation of the query that doesn’t make life easy enough for such error messages.
You love me, I love you: let’s make love
December 31st, 2006 at 7:00 pm
Well Sugar it has to do with safety procedures. If a login system reveal which of the username or password is wrong (which simply means that the other is right), it is very easy for a hacker to find out more information about the specific account… That’s why all the login systems never generated the two above error messages you suggesting…
January 1st, 2007 at 11:17 pm
Aren’t there any other safety locks about this? Like, set the account pending when someone tries more than 5 times to login unsuccessfully?
And to be frank, who’s gonna hack into my coComment account, really!
I could understand (maybe) if this was coming from an e-shop, or anything that needs to be more secure than conventional sites. But in this case, it’s just a nuisance.
January 2nd, 2007 at 2:01 pm
@Sugar: coComment is a nuisance for you, Gmail is a nuisance for someone else, phpBB is a nuisance for me etc.
Developers are called to protect their service and what Tsevdos John says is right.
January 2nd, 2007 at 4:35 pm
Please Titanas, don’t distort my sayings.
I didn’t mention that coComment is a nuisance. I just say that, in usability terms and in my humble opinion, their login system has a flaw in error messages.
I really can’t believe that the obvious solution for web application developers is to provide an ambiguous error message to “confuse” potential hackers.
Let’s be realistic here.
January 2nd, 2007 at 6:19 pm
I misunderstood you and i apologize for that!
I don’t think they want to confuse hackers but instead make their lives less easy. The error message doesn’t tell the whole truth.
Check this error message from (mt):
It appears that either your domain, email address, or password is incorrect. Please try logging in again, or consider using the Lost Password Recovery Page. If you still have problems, please contact the customer support department at 877-578-4000.
TIP: Your domain should not include the “http://” prefix nor should it include the “www” prefix.
January 2nd, 2007 at 7:15 pm
Sigh… fine. You’ve proved me wrong and this kind of messages is OK, eventually.
But it still poses some usability issues for the real users of this dang login form.
January 3rd, 2007 at 3:10 am
Happy New Year Sugar!
Maybe Cocomment isn’t the service anyone wants to hack, but I would rather agree with John by saying that it is done for safety reasons
Also the Cocomment programmers maybe used a kind of framework to build their web app so the whole login procedure is handled from it (although I believe they have double checked all the messages).
Anyways there are a lot of web services that return same error messages so what’s the big deal
Tip: I have a hard time reading the comments due to the small font…Can it be increased? Plz?
January 3rd, 2007 at 10:20 am
@ stelabouras:
Happy new year, you!
I’ll increase the font in comments when I return home tonight.
The whole site will be redesigned in some days, anyway.