Boxes And Arrows : The Design Behind the Design

This sounds like a very interesting article! Something that I have been thinking about for quite some time.

Yes I found often this happens to me, I am highly interested to read this article, hope I will get good sets of guidelines from here.

Yes, yes, yes! I have been thinking alot about this problem myself and it REALLY gets complicated – its *not* just the interface issue, but more like identity-proof, privacy issue. But it certainly should be addressed from user’s perspective more thoroughly. For example:
Nielsen has had a few alertboxes ago an interesting claim, that ***** stars in the password field are useless as nobody really watches over your shoulder most of the time. I find this not true.
There is also growing interest in OpenID services, which are a nice idea, but so far very poorly implemented.
I think that password strength meters are useless. One doesn’t need a very strong password, but needs to change it as often as possible. But we all have the same passwords through many accounts and it is impossible to have them all changed very often.
Regarding Usability, there is also a big debate (nielsen as well) about the Login/Register form: should they be on the same page (like boxes&arrows), in different ‘tabs’, in the same form (like amazon)... What are the GUI guidelines for tabbing (“rember me” usually takes the tab between password and “login” input fields). What about screenreader software support for login forms?
There are loads of utils that remember your passwords (every modern browser) and there are some cross-browser syncronised (xmarks) password managers – which I don’t use but might be a solution for some of the problems…

well… some ideas for your article, have fun!

danijel

Sohel, a very good topic to develop into an article. If you need any references or contacts please let me know: darrenkall@hotmail.com. I worked on this problem when I was at Microsoft and there are a number of good people there who have been wrestling with this very issue for years. Making secure but empathetic authentication for frequent and infrequent users is a complex optimization problem. I also just participated in a Usability, Security and Privacy brainstorming session held by the Computer Sciences and Telecommunications Board (CSTB) of the National Academy of Sciences. The CSTB gathered 40-50 subject matter experts from the security, privacy and usability fields to brainstorm future direction for research. One session I participated in was Alternatives to Passwords lead by Simson Garfinkle and Susan Landau. The final CSTB report won’t be available until about December but I’m glad to help before then with my perspective. Darren Kall

Well guess what, I had to first recover my password in order to login and vote ;)

Yes…i to have been facing these problems. I am too waiting for this article.

Would love to read that Sohel. Also if you could cover how you see future alternate password mechanisms that would be more user friendly would be a nice addition (e.g voice recognition?)

This is a great topic and something that I’ve been thinking a lot about lately as well. Almost every website out there gives the visitor the capability to register as a site user. One of the more recent troubles that I’ve seen with sign-in forms is with the simple Forgot Password? link. I find myself asking the question, “Did I already register at this site?” I try my usual combination(s) of usernames and passwords but I keep getting rejected. I click on the Forgot Password? link and it asks for my email address. I enter my email address and hit submit only to be presented with a screen that states my password has been emailed to me. I wait, and wait, and wait some more but nothing comes. I check my spam and still nothing. The problem is that I didn’t even have an account there in the first place even though the system made me think I did. This is definitely a usability issue. It should be checking to see if my email even exists in the database. If not, it should tell me.

Looking forward to reading your article.

Thanks,
Grant Novey

Check out some of the extreme strategies some people are employing to make their password management easier
http://carsonified.com/blog/work-smarter/how-to-create-a-…
The wealth is in the comments, not in the article itself.

Even if we do have to live with passwords for a few more years, I believe the next generation of authentication should definitely be in-the-cloud identity management systems which look beyond the password – they look into patterns of access and adapt the authentication accordingly based on a threat assessment. This is already making it’s way into banking and enterprise, but it needs to touch the consumer pretty soon.

Even forgot password systems are becoming easy to beat. One of the worst systems out there today is the “mother’s maiden name” stuff – tons of mothers are making their way to Facebook, putting their entire lives online, this system is already useless for those in their teens today.

Hopefully your system will be novel and easy to adopt, safe from shoulder surfing, keyloggers and perhaps online social engineering.

Yes, It is a common problem with every one who manages more than 3 accounts. The situation becomes worse if it happens to use that account after 10 to 15 days. Email accounts it rarely happens as we use them on a daily basis but almost everyone might have experienced this “Password Problem” when accessing their Car / Home Insurance accounts, Library accounts, Electricity Accounts, Air miles account etc. I almost forget them some time and immediately look for alternatives. It is a time consuming here also as we need to recollect the security question vs answer.

Expect this topic to be interesting and a eye opener for people who face this problem.

One solution is being addressed now by effotrs like facebok connect, or Google Federated Login (based on the OpenID standard.

Frankly, I prefer more private solutions, and since I use to register in multitude of websites (I work for the online world) I finally have decided having 2 fixed types of usr/psw, one for personal/important issues and another for all the webs which I seldom visit.