Helping users that are struggling to log in; and avoiding it in the first place.

We have all struggled to log into websites and unfortunately, the struggle is a sliding scale.


1. The easy end of the scale: quick reset or recovery

At one end, websites that let us choose our preferred password and offer simple tools for resetting or recovering our passwords offer the least friction and are the easiest for users to navigate.


2. Moving up the scale; requiring unique passwords for a website

Then you jump up to those websites that mandate a minimum password requirement, including a capitalised letter and possibly even a symbol.

For those of us not in IT security and who do not have military grade passwords, we’re probably stuck with a default password being the name of our first dog, or something equally as weak.

When presenting with the requirement to signup with a password with symbols, numbers and capitalisation, most of us have to think carefully and then add what are – at the time – hopefully logical capitals and numbers and a ‘!’ or ‘@’ or ‘#’ or ‘$’ symbol to our normal password:

‘Scraps’ (being the name of your first puppy dog) becomes ‘Scraps2067$’, a password that of course, you will never be able to recall on subsequent visits to the website; you rarely or never do.

Whilst security freaks will argue that this makes their websites and the data of their users safer (and this is true though not terminally true), such an approach to passwords automatically adds a layer of resistance for each user:

  1. If we are accessing the website frequently, we still need to stop each time we login: “Ah, this is that website with the unique password, where I need to pause, think about it and then very slowly and deliberately enter it…’.
  2. More likely however, it is not a website being frequently accessed and so to gain access, you have to go through the reset or recovery process.

    A lot of friction, backwards and forwards and accessing your Gmail, just to access a website and friction that can and should be avoided.

3. The hot end of the scale; unique passwords that cannot be used twice

Realistically, we have all probably roughly worked out some sort of complex password to placate websites requiring it, though many of us have permutations of these passwords; in adding a number, it could be ‘1’, or our favourite digit, or our year of birth or our credit card pin.

Invariably, we arrive at the website requiring a complex password and attempt to recover and reset our complex password, a process we don’t look forward to, though one at least we understand.

Mother’s maiden name entered, email opened, link clicked: we feel good that we’re finally at the ‘Enter New Password’ page and only a button away from entering the website.

But then the website tells us we can’t use a password we have previously used.

What? Are you mad?

This particularly - though unnecessarily - secure approach (designed not for simple users of websites but for situations where information security is paramount and excessive security steps are taken) condemns all of us to a revolving life of the password renewal process described above.

Worse, with each renewal, we hit a growing batch of passwords we’ve previously used and can no longer use, further slowing us down.

"Sorry: 'Sraps1979&' has previously been used as a password and you need a new one...". 

Amazing. Ingly. Poor. Outcome for the user.

It would be easier and faster just to mash the keyboard each time; the password you generate is just as disposable as the increasingly crafty and thoughtful passwords you have to come up with every time you want in.

We all know the pain of number 3 well and it is a bad pain, especially when the password recovery email shows up ten minutes after we asked for it.


4. The end of the scale: social sign-in goes wrong

The concept of signing into a website using your Facebook or Twitter or Google+ account has merit.

As long as it is properly executed and the workflows considered.

Putting aside perceived issues users might have about privacy and information sharing, social sharing ideally allows for a user to sign-up and return by giving one of their social networks the permission to share their ID and credentials with a website, removing the need for manual registration and a password outside of the social network.

A password that is generally pretty well known; that is, the password used to login to Facebook.

The challenge is where registration and login become confused.

If a user has initially signed in with an email address and then signs in with a social login, things can go awry.

Because even with social sign-in, most websites still create an account using the email address associated with the social account of the user. And even if they don’t, things can still go wrong:

  1. The user is already registered and when they go to login with, say Facebook, they are told they are already registered with that email address leading to confusion or frustration.
  2. The user opens two accounts: one with their email address (the old school style of registration) and one with their Facebook ID. And so have two accounts which can be difficult to rectify.

It has gotten better in recent years with websites relising this challenge, though it is not ideal and I encountered a website today that told me I was registered when I tried to access it with Facebook. It said my account already existed.

For the average user – especially users of deals websites and eCommerce websites where we are forced to open accounts to gain access and do so quickly – this is frustrating and possibly, quite illogical.

Without the patience to troubleshoot the issue, I walked away.

A login fail.


Which is why you need to consider two things

This blog hopefully rings true to you and the frustrations you have had logging into websites.

And so the first thing you should obviously consider is the difficulty and complexity you put your users through in accessing your website.

Stronger, unique passwords are ideal though they are not strictly necessary.

There are ways to stop people brute-forcing your user accounts with potential passwords. This comes down to reasonable password rules (that we all by now accept, without adding symbols and who knows what to our passwords) and ways of blocking such brute-force attacks.

The user comes first and getting them into your website quickly could mean significant revenue.

The second thing you should do is quickly recognise that your users are having an issue accessing your website and proactively recognise that.

Pinterest is a great example of this, where after I tried to login and failed, it automatically sent me this email - which, in this instance, recovered me as a user:

Well done Pinterest...

Where it sees a user’s email address or account having issues, it proactively reaches out; especially when social sign-in is involved.

The gesture not only helps the user, it shows the user you recognise their pain and care.

This goes a long way.

Streamlining sign-up and login is a no brainer.

Friction in a website should be mitigated as far as possible and with apologies to my IT security friends, if my bank – ANZ – lets me sign-in with my preferred password, you should to.

Over and above this, tag up the website so you see what is happening and jump on it.

You may well recover a user; as Pinterest did in me.