Design & UX
By Jessica Enders

3 Rules for Painless Account UX

By Jessica Enders
Old shop with 'Come in and visit' signage on front

Photo: Tom Simpson

Online accounts give users privacy, control and a personalised experience (imagine Facebook without accounts!). Account management — registration and log in — is, therefore, a necessary evil. Except when it goes wrong, no user likes or cares about account management, they just want to access the service.

You can make account management less evil by following three little rules:

1. Don’t make the user guess
Almost every service on the web handles account management slightly differently. As a result, you have to be explicit about the requirements for your service. Otherwise, you’re just being cruel.
2. Balance security with usability
Often, security folk will insist on an approach that compromises the user experience. This is foolish, because poor usability will lead to workarounds, and workarounds in turn lead to weakened security. Instead, aim for a design that is both secure and usable.
3. Keep it simple
Account management is one of your biggest potential barriers to usage. Make the barrier practically invisible through a simple, seamless, pain-free design.

Let’s look at how these three rules can be applied to registration and log-in. We discuss registration below; log in will be covered in a second article to follow soon.

The User Registration Process

Rule #1: Don’t make the user guess

  • Warn the user — ideally before they start — if they are going to have to do something to verify, before their account will be created.
  • Let the user know if usernames are automatically set by the service.
  • Allow — but don’t insist on — login with third party services like Facebook or Twitter.
  • Spell out any requirements for username or password before this information needs to be entered [1]. In particular, let the user know whether:
    1. there are restrictions on length, characters, words or phrases
    2. spaces — and thus passphrases — are allowed
    3. such fields are case sensitive.

Example: What not to do.

Amazon doesn’t explain its password requirements until after form is submitted and the chosen password fails. How hard would it be to put “Case sensitive, minimum of 6 characters.” underneath the first password field?

Amazon example login

Example: A better approach.

Wufoo is up front and transparent about password requirements.

Wufoo's improved approach

Rule #2: Balance security with usability

  • Avoid setting restrictions on usernames.
  • Avoid complex password requirements; this will only lead to users writing down their password and/or using the same passwords across multiple services.
  • If you have a password strength meter, make sure it reflects up-to-date practice, otherwise don’t have one at all.

Example: What not to do.

Ebay — who recently suffered a massive data breach and responded embarrassingly poorly — don’t allow passphrases (several words separated by spaces). Yet many consider passphrases to be the most practical, secure and usable approach to passwords (see, for example, [2] and [3]).

Ebay's login system

Example: A better approach.

Envato allow passphrases. The passphrase I had entered is “This is a phrase”.


Rule #3: Keep it simple

  • Avoid repeated fields (e.g. asking for password to be entered twice) and instead provide a simple (but secure) way to reset such data. (For more about repeated fields, see [4]).
  • Ask for just what you need in order to create the account; you can always ask about other things later.
  • Don’t ask for personal information (e.g. date of birth) unless you really need it.
  • Inline validation is nice, but don’t do it before the user has had a decent amount of time to enter data.

Example: What not to do. requires double entry on both email and password!

What not to do:

Example: A better approach.

A better approach: Trivago

Trivago keep things very simple.

Keep an eye out for the second part of this article, on log in, to be published soon!

  1. Some security experts argue that you should not reveal password requirements to users, because it gives black-hat hackers clues. The problem with this argument, as I see it, is that requirements have to be revealed if the submitted password is invalid, so a black-hat hacker could expose the requirements simply by entering “p” or something equally unsatisfactory, submitting the form, and triggering the validation failure message.

    Aside from that, I think it’s crazy to make the experience unusable for the mass of legitimate users, just to (mildly) frustrate a handful of black-hat hackers. Better to achieve security through other means.

  2. The usability of passwords
  3. Password strength
  4. Double entry of form fields
  • Wez Pyke

    I find it rather annoying that a lot of websites require First name and Last name. If they need to know my name then surely just a Name field is enough.

    • Paulo

      they just want to make sure you enter both

    • lc

      It’s generally a good idea to store first names and last names in separate fields in the database though, in case you want to use them separately (e.g. ‘Welcome, John’ instead of ‘Welcome, John Smith’). If you don’t ask for them separately, then your program will have to guess which is which based on spaces. Fine if your name is John Smith, not so fine it it is Mary Ellen Smith.

  • Lucy Buykx

    The Appleid creation flow has a very nice password rule flow. There are 8 rules (yes I know, 8!) that pop up in grey when the field is in focus. When your password passes a rule it gets a green dot. When your password fails a rule the rule jumps out in red. Colour blindness & the number of rules aside, it makes it clear what you have to do.

  • M S


    Its especially annoying and idiotic, when there are multiple secret rules that you accidentally broke when filling out a form, and they tell you about only one for each attempt to submit a form.

    There is a problem with the username?
    OK, fixed it =)
    …oh now the password is wrong too?
    OK, fixed it :/
    …oh now the phone-number is is wrong too?
    OK… FIXED it!
    …oh now the emall is is wrong too?
    OK… F fixed it! (surely you could have removed the accidental trailing space yourself…)
    …oh now the adress-format is is wrong too?
    F you and your whole family, I’m going to find out where you sleep!

  • Wez Pyke

    Explode on spaces and use the last word as the surname. 99% of the time you’ll get it right.

    • Formulate

      Unfortunately, names are more complicated than that. See

    • Alex Walker

      That 1% of people who don’t fit the rule can get very irritable about things.

      The recently abdicated Spanish king, ‘Juan Carlos Alfonso Víctor María de Borbón y Borbón-Dos Sicilias’ doesn’t want you to refer to him as ‘Juan Carlos Alfonso Víctor María de Borbón y Borbón-Dos’

      But he doesn’t like ‘Juan’ either — he likes ‘Juan Carlos’.

      Extreme example, I know, but shows how difficult it is to write a set of rules around it.

  • Mohd. Mahabubul ALam

    Online accounts give users privacy, control and a personalized experience (imagine Facebook without accounts!). Account
    management — registration and log in — is, therefore, a necessary evil.
    Except when it goes wrong, no user likes

Get the latest in Design, once a week, for free.