I was just over at Thoof.com and something happened out of the ordinary. It sort of happened the other day too but this time, it was a little more intense. Here’s the scenario – I registered for a user account at Thoof.com a couple days ago, and their registration process went like this:
1. Click sign up (a couple form fields appear)
2. Enter your email address
3. Click sign up
That’s it – you’re registered, logged in AND you get this message: “You are now registered. An email will arrive soon. For now, enjoy the site!”
I think Jacob Neilsen may have just shit on or around himself.
For registration systems, it doesn’t get much easier that that. This website doesn’t even pretend it needs your contact information. At the same time, a couple of flags went off in my mind. First, I usually set aside a minute or so in my head for online registrations so when everything was done in about 3 seconds – it was very pronounced. It far exceeded my expectations. So my first flag just supports an already universal knowledge about exceeding your customer’s expectations. The second flag was just the opposite actually. In not being asking for my contact info, I became a little cautious. It sort of conveyed a lack of purpose or legitimacy. They don’t know who I am and I could just enter anything in that box and get logged in immediately. What’s the sense in remembering a password, if they just automatically log you in?
That was a couple days ago anyways, I’m calmed down now. This morning however, I go over to Thoof, click sign in, punch in my email/password, click sign in again and… nothing happens. I thought maybe I entered in the wrong password, so I tried another… and nothing, and another… and nothing. So naturally I click “forgot password?” enter my email address, click ahead and it says something to the effect of “we’ve emailed you something which will help you.” basically. I immediately get an email from them with a link to “reset password” which I click… and get redirected to the Thoof.com home page (with no indication that anything has happened.) I even checked the link – there is some crap in there, some kinds of variables and such – which I assume Thoof would use to recognize me and use to reset my password (maybe even email me the new password.) Nope. Nothing. Before we continue, here’s a couple tips (Thoof I hope you read this):
When designing a user login system:
- Show some indication that something has happened when your users interact with your site.
For example: when someone enters their email and password and clicks submit – 1 of two things happen: They either have entered the correct username/password OR they have not. It’s absolutely necessary to tell them which has happened.
For example: when someone clicks a link which you tell them will reset their password: at least tell them that you have reset their password and to what you have reset it to… better yet LET THEM CHOOSE THE NEW PASSWORD. - Make the person at least enter their username AND password to login.
The purpose of a login system is control and accountability, over who gets access to what features on your site. If you don’t require your users to be accountable, then you have no control. If you don’t care about all that, then you probably don’t need a login system.
These are pretty fundamental sorts of things, but apparently they still get looked over. Maybe there is something different about Thoof that I’m just not getting. Like a secret handshake or something, or like you’re not logged into the REAL site unless you log in on a certain page which you would have only found out about if you sit at the cool table.
My serious point is that when you’re designing a website from scratch, it’s easy to get caught up in your world, especially if it’s a personal project and not for a client. You try to be cutting edge and push the boundaries but keep in mind, there are standards ingrained into people’s minds. Things that are just supposed to happen, like, turning a handle opens a door, etc. You can’t just design a building where when you turn the door handles, a boot comes out of nowhere and just plows you in the ass.
- Stick to the standards.
People expect certain behavior – give it to them. It makes them feel comfortable and encourages to continue exploring your site. If you’re going to be creative and do something different, make an existing standard better not different. - Make your design transparent.
This means that if someone is trying to do something, show them that you already expected it and provide them an option. Standards include having a “forgot password?” link near the login area along with a “log out” link/button. Google does this well with their applications. The key is making your design intuitive and proving to the user that you care by showing them that you’ve already thought of and planned a solution for every problem or question they might have.
These are the only opinions about login system design at this point (thanks to Thoof.com for the inspiration to write this.) I’m at the end of designing one from scratch right now for a person project. As an accompaniment to this article, I’ll surely write about that process once I finally finish. In the meantime, I hope some of these thoughts help you out in your work, and if you have anything you think should be added to this list, please comment. I’ll be happy to add to this list and link back to your site. Again, thanks for reading.
Hi, thanks for the feedback, and for pointing out these issues. Can you let us know what operating system and web browser you are using? Feel free to email me directly, ian at thoof dot com.
plz send me the easy script
Im sithila Web Designer . u can get info
sithila123@gmail.com
sithilas@yahoo.co.uk
When I was working a my last company we had to design a login system and I started to notice a few things about other login system.
Sometimes when you press the “I forgot my password” button they send you an email WITH YOUR ACTUAL PASSWORD!
#1 I don’t want anybody to store my actual password. What if hackers hack into their system and now there’s some personal information about me tied to a password I use, possibly in many other places on the web.
The right thing to do is to convert the password, in javascript, to a message digest of the password both at sign-up and when logging in.
#2 Not only are they storing my plain text password on their system but the sent it to me IN AN EMAIL!
Please don’t do that. Emails pass through many different points and sit around for some period of time, who knows how long. Those systems could be hacked into as well. The only place a plaintext password should reside is in the head of the user and the mind of god if you believe in that sort of thing. Agree, disagree?
Dear dennisplucinik:
I’m going to desgin a login system, and now I’m collecting info about the login system, I think ready your articel totally, Thanks a lot for providing so much good advice, So I want do you have any other materia about login system, if yes, please send me a copy. Thanks again.