Let Me In

Posted on 3rd April 2008

The problem with those that get high and mighty about username/password site logins, is that they often use examples where you really do want some degree of protection, not from yourself, but from others. Of the 16 Account Design Mistakes listed in Part 1 and Part 2 by Jared M. Spool, most include good ideas for developers, however, some use examples where the sites are quite right to be obscure.

Take #13 "Not Explaining If It's The Username or Password They Got Wrong", then proceeding to hold up Staples and American Express as the worst offenders. I'm sorry but if I have accounts with companies like that, then there is no way on earth I want them giving hints to crackers whether they got my username or password wrong. Those kinds of sites contain VERY sensitive personal information, not least of which is your credit card information. If Jared is that eager to share his financial information, I'm now wondering if he publishes it on his personal website. Could it be that perhaps the very security he ridicules actually protects him from identity theft?

Another is #16 "Requiring More Than One Element When Recovering Password", where a company requires some form of additional account information other than just your email address. Again this is a company that holds your credit information and by the sound of it some very personal information (such as my phone number). Does Jared post his personal phone number on his website? I doubt it as I assume he doesn't want all and sundry knowing it, thus exposing him to more identity theft.

Don't get me wrong, Jared does list some good thoughts about username/password site logins, but the context in which he uses to ridicule some sites and companies is grossly misplaced. The problem is that the author often thinks only in terms of making life easier for themselves, forgetting that you can also make it easy for those of a more malicious nature too. In all, or possibly nearly all, sites that I have a login for, the login is there to protect my account on the site from abuse. I know there are sites out there that only provide customisations with your login, but I don't use them. Even those that don't contain personal information, I would not want anyone to hack in to. If you're happy to make it easy for some one to login to your blog account and post spam, abusive or malicious content, then fine, make it easy. For the rest of us, we'd rather have some form of protection on the account that makes it a little harder for others to get through.

File Under: design / rant / security / usability / website

Shout It Out Loud

Posted on 11th July 2007

This post is mostly to trigger my shiny new Technorati Profile into recognising this "blog" as mine.

For some time now I've wonder about the use of the word 'blog'. I know it comes from weblog and is in reality an online journal or diary, but the word 'blog' doesn't conjure up anything like the kind of articles, news and thoughts I plan to post here. In fact I find it quite a dismissive word.

That's not to say the people who actually create these online diaries are not important, they are. For friends it's a way for me to see what they're up to, what's bothering them and the like, and likewise those who I know through social networks. They're also valuable to those of us who are looking for solutions to a particular problem, answers to questions or looking for thought provoking posts.

The medium itself is a valuable tool for allowing the average person to be heard in amongst the often inflated egos of some journalists I've met (particularly in the music industry ... but that's another story). I like the fact I can find bits of news and information from sources I would never otherwise knew existed.

What I don't like is the term 'blog'. Bit too late to try and change it now, and I doubt a lone voice would get much airplay, but it would have been much nicer to associate myself to a term that conveys the value of the online community of storytellers. For me, blog just doesn't cut it.

File Under: rant / usability / web

The Frayed Ends of Sanity

Posted on 1st June 2007

XWiki would seem to be in dire need of some sanity. When I upload a file, I expect to get an appropriate error message if it fails, or better still tell me before hand if it's likely to be too big. I don't expect there to be a two huge great Java exceptions thrown back at me. Thankfully, I'm a technical user and can decipher the program (the image was too big), but other users might not be so understanding.

This goes back to what I posted yesterday, don't send users down broken paths. If there are constraints tell them!

However, there is also another issue with sites that upload photos like this. If you have a limit on the size of the photos, resize the image. It isn't hard. This is what Labyrinth does, so although your original image might be 1280x1024 and be over 1MB, it will get saved as something like 800x800 or perhaps 150x150 for thumbnails all automatically, without the user having to worry about it. Why make the user jump through hoops, when you can so easily add a feature like that yourself?

The problem here though looks like the XWiki (or at least this installation of it) uses the database as a file store. The Java exception errors are from JDBC finding the data too big to store. Why is an image (or any media file) ever stored in the database? I've come across this idea a few times before and have never understood the point. Use the filesystem of the OS to store files and databases to store your textual content. You aren't going to search the content of the data block in the database, or if you are then I seriously doubt you get any benefit over using tools dedicated to accessing and interrogating files at the OS level.

Maybe it just comes down to the fact that Java programmers seem to want to try and do everything themselves. I've come across this several times when I was forced to use Silverstream many moons ago, also written in Java, and seem to be a mantra of Java in that it's the only tool for the job, even if it isn't.

File Under: design / usability / web

Don't Come Around Here No More

Posted on 31st May 2007

Recently I joined the Facebook community. Seeing as several coworkers were prompting me, and it looked to be a more social version of LinkedIn, I thought I give it a try. For the most part it is a fun site, although there are a few dodgy parts, but you kind of expect someone is going to try and push the barriers of taste on a site like this.

However, there was one aspect that really irritated me the yesterday, that although I found it on Facebook, I've come across similar things on several sites over the years, and is a failing of the web designers to actually understand their audience. In web design there is a lot of emphasis on usability for a very good reason. It is absolutely pointless having a beautifully crafted web site if your potential users can't use it. Now most designers do get the idea of keeping the navigation clear and easily available, and generally layout has gotten less busy over the years, but usability is more than just understanding where everything is.

Your site needs to be functional, even if that means you only have static pages that provide other ways for your users to interact with you, such as providing a contact address. To me, functional means doing something useful and not irritating your user base.

The part of Facebook that fails this part of functionality, and irritates the hell out of me, is taking your users on a trail that is a pointless dead-end and completely wastes the users time even bothering to follow it. If you have ever clicked to 'Add a friend', then you will most likely be presented with a box that requests you to enter the CAPTCHA. Just above the box is a link that implies you can forego this CAPTCHA if you verify yourself. So I thought I do just that. The next page then asks you for your mobile phone number. As I didn't want to give them my personal mobile number, I thought I'd use my works mobile. Unfortunately I'm very bad at remembering phone numbers, so it took me a few minutes to find it. I entered the number and click to get verified. I was then presented with an error message which to me, reading between the lines, said "no you dolt, an American mobile phone number, because you know, obviously ONLY the interesting people are in America". No it doesn't actually say that, but it might as well have.

If you offer a piece of functionality that is only available to a small sliver of your potential audience, SAY SO! It isn't difficult. At the CAPTCHA they could so easily have in brackets "(available for US residents only)". It would have be midly disappointing that it was only available to a select group, but at least I wouldn't have wasted my time trying to use functionality that I was never going to be allowed to access, or felt insulted by the implication that I should have known this.

File Under: design / usability / web

Somebody's Watching Me

Posted on 13th May 2007

I've had tracking code in Labyrinth for sometime, but it's mostly to track popular galleries and photos. It does count pages, but nothing as detailed as Google Analytics. I'd heard interesting comments about this Google service, and seeing as I can't use their AdSense service for any practical purpose, I thought I give it a try. So for the past few days I've been adding the appropriate code into several of my sites. I was looking at the reports this morning for some of the more popular sites and they make interesting reading.

Many of the sites are specifically aimed at the UK audience, so it's not too surprising to see the majority of visits are from UK residents. However, some, particluarly my Perl sites, are of global interest so I'm hoping to spot any interesting trends, and identify the popular pages. It's early days yet, but so far my CPAN Testers Statistics site is popular in Germany and the US. It'll be interesting to see what the analytics report when the CPAN Testers Wiki finally goes live.

However, the biggest benefit to using Google Analytics, is that I can show anyone I do sites for, a more active response to their site. Kev is always quite keen to see what the response is like after The Scooter Do has an event. The gallery for the night always seems popular, but now we'll be able to see whether that's true and whether site visitors browse the rest of the site.

File Under: google / technology / usability / web

<< Page 1 Page 3 >>

Some Rights Reserved Unless otherwise expressly stated, all original material of whatever nature created by Barbie and included in the Memories Of A Roadie website and any related pages, including the website's archives, is licensed under a Creative Commons by Attribution Non-Commercial License. If you wish to use material for commercial puposes, please contact me for further assistance regarding commercial licensing.