Design & UX - - By Jessica Enders

3 Rules for Painless Account UX

Old shop with 'Come in and visit' signage on front

Photo: Tom Simpson

Online accounts give users privacy, control and a personalised experience (imagine Facebook without accounts!). Account management — registration and log in — is, therefore, a necessary evil. Except when it goes wrong, no user likes or cares about account management, they just want to access the service.

You can make account management less evil by following three little rules:

1. Don’t make the user guess
Almost every service on the web handles account management slightly differently. As a result, you have to be explicit about the requirements for your service. Otherwise, you’re just being cruel.
2. Balance security with usability
Often, security folk will insist on an approach that compromises the user experience. This is foolish, because poor usability will lead to workarounds, and workarounds in turn lead to weakened security. Instead, aim for a design that is both secure and usable.
3. Keep it simple
Account management is one of your biggest potential barriers to usage. Make the barrier practically invisible through a simple, seamless, pain-free design.

Let’s look at how these three rules can be applied to registration and log-in. We discuss registration below; log in will be covered in a second article to follow soon.

The User Registration Process

Rule #1: Don’t make the user guess

  • Warn the user — ideally before they start — if they are going to have to do something to verify, before their account will be created.
  • Let the user know if usernames are automatically set by the service.
  • Allow — but don’t insist on — login with third party services like Facebook or Twitter.
  • Spell out any requirements for username or password before this information needs to be entered [1]. In particular, let the user know whether:
    1. there are restrictions on length, characters, words or phrases
    2. spaces — and thus passphrases — are allowed
    3. such fields are case sensitive.

Example: What not to do.

Amazon doesn’t explain its password requirements until after form is submitted and the chosen password fails. How hard would it be to put “Case sensitive, minimum of 6 characters.” underneath the first password field?

Amazon example login

Example: A better approach.

Wufoo is up front and transparent about password requirements.

Wufoo's improved approach

Rule #2: Balance security with usability

  • Avoid setting restrictions on usernames.
  • Avoid complex password requirements; this will only lead to users writing down their password and/or using the same passwords across multiple services.
  • If you have a password strength meter, make sure it reflects up-to-date practice, otherwise don’t have one at all.

Example: What not to do.

Ebay — who recently suffered a massive data breach and responded embarrassingly poorly — don’t allow passphrases (several words separated by spaces). Yet many consider passphrases to be the most practical, secure and usable approach to passwords (see, for example, [2] and [3]).

Ebay's login system

Example: A better approach.

Envato allow passphrases. The passphrase I had entered is “This is a phrase”.


Rule #3: Keep it simple

  • Avoid repeated fields (e.g. asking for password to be entered twice) and instead provide a simple (but secure) way to reset such data. (For more about repeated fields, see [4]).
  • Ask for just what you need in order to create the account; you can always ask about other things later.
  • Don’t ask for personal information (e.g. date of birth) unless you really need it.
  • Inline validation is nice, but don’t do it before the user has had a decent amount of time to enter data.

Example: What not to do. requires double entry on both email and password!

What not to do:

Example: A better approach.

A better approach: Trivago

Trivago keep things very simple.

Keep an eye out for the second part of this article, on log in, to be published soon!

  1. Some security experts argue that you should not reveal password requirements to users, because it gives black-hat hackers clues. The problem with this argument, as I see it, is that requirements have to be revealed if the submitted password is invalid, so a black-hat hacker could expose the requirements simply by entering “p” or something equally unsatisfactory, submitting the form, and triggering the validation failure message.

    Aside from that, I think it’s crazy to make the experience unusable for the mass of legitimate users, just to (mildly) frustrate a handful of black-hat hackers. Better to achieve security through other means.

  2. The usability of passwords
  3. Password strength
  4. Double entry of form fields