When designing sites with passwords, please don't mangle your user's passwords without notification.
Where does this plea come from? Well, I now set accounts up with lengthy passwords when I can. A lot of web sites have length restrictions on password fields. This is all very well - and is often a legitimate defence against buffer overflows. The problem arises when I don't know about it. Then, when I want to log back in later, I get told that my password is wrong! Well, no, it's not wrong - except that your website has mangled what I gave it. Or perhaps ignored what I gave it as illegal input.
If you must limit password length, tell the user! Messages like,
"This password is too long. Please select a password no longer than 16 characters."
Or even,
"This password is too long and has been truncated to 16 characters."
would go a long way towards avoiding user confusion.
Also, if you're going to bother presenting the user with a "reset your password" link, it must work! Please don't promise to send emails with the requisite links and then fail to send them.
That is all.
2011: a reflection
2 months ago
0 comments:
Post a Comment