Tuesday, July 31, 2007

What did you say my password is?

When is your password not your password?

When the company decides to change their password handling and implements it poorly.

Case in point: I used to have a "strong" password (i.e., one that's harder to guess because I have used special characters and relatively random selection of characters) at DirecTV -- "gt*9facts" (not my real password, of course). I've used my strong password for well over a year now with absolutely no problems. BTW, if you want a few pointers on creating a strong password that's easier to remember, visit http://www.4mypasswords.com/welcome/tutorial. Or see the Wikipedia entry on strong passwords.

Just the other day, I needed to login to my DirecTV site and entered that password: it failed. I tried several times (I can make typing mistakes :-) but to no avail. I finally clicked the "Forgot your password?" link, thinking that maybe I had changed the password and forgotten about it.

Imagine my surprise when the email from DirecTV told me that my password was, in fact, "gt*9facts"! Even cutting/pasting from the email into the website yielded a password failure.

Searching through the site, I finally found that they now had a policy that you could only use alphanumeric characters in your password -- that is, the "*" in my password was invalid.

So what went wrong here?
  1. First, DirecTV implemented their change poorly. It's one thing to require new visitors to use the new requirements -- that's a simple change to the input validation scheme. It's totally another thing (and poor user interface design) to also change the processing of an existing password to exclude already-accepted characters. At the very least, what they should have done is allow existing passwords to continue to work; much less hassle for their users.
  2. Second, DirecTV sent out a bad "Here's your password" email. If they implemented the change they did, then they should have put smarts into the rest of their password system. What they could have done is parse the password, note newly invalidated characters and either: (i) pointed out the problem and provided a link to automatically generate a new password; or (ii) modified the password, replacing those invalid characters with a standard replacement.
  3. Finally, DirecTV reduced the ability of their users to generate strong passwords. Granted, many users do not generate strong passwords. However, please don't take away that capability for those of us who do want flexibility in generating good passwords. Better security is better.
As it was, I had to try my old password several times, get a little worried about my account having been cracked, get my wrong password email, and finally contact tech support, wait on line, and get them to assign a new one to me.

Not the right way to treat a customer!

Thursday, April 26, 2007

Outrageous forms

Ever go to one of those sites for a "free" article and then get hit with an unbelievably long form where all of the fields are required? Obviously some marketing hack who figures this is a great time to fill their database with all kinds of wonderful information that they can them mine for gold.

Well, the same thing can also happen with companies that you already have a relationship with or with signups for fee events. And this can be exacerbated with poor website design and sluggish response.

I recently had one of those situations when attempting to send a question to Cingular about my online account. I wanted to know why my online bill had not yet been posted for the current month. So I figured I'd send them a message. They very conveniently had a link on their site to "Email us your billing questions". I thought this would be the quickest and easiest way to communicate with them... boy was I wrong!

It's a 3-step process (they say). Step 1 is a confirmation of your basic account information: no problem there. My difficulties started in Step 2, where they want to know what my problem is about.

Well... this looks like a 3-step process in and of itself, and it's only Step 2. Worse than that, there is obviously a round-trip to the server to display this information and it took 15-30 seconds to update the page after each selection. And the final item ("Sub-topic 2") simply returned a "There are no options for this Sub-topic" -- at least they told me before I had to wait for that item. But still, totally unacceptable!

Once you get past this page (if you get past it... I was beyond the point of trying to communicate with Cingular: now I wanted to see how bad this could be). I expected it to get worse, and I was right! Here's Step 3 of the dialogue. Notice that there are two images here: the list of questions (all required) that they ask you for can't be displayed on a single page!

The list of questions is unbelievably long and they are all required! I even have to enter (HAVE TO!) enter my current snail mail address before I can submit a help request... how bad can you get?

I guess they don't really want to get questions -- they just make it too hard to submit them!

Suggestions to Cingular: (1) Get some faster servers; (2) Read "Don't Make Me Think" (Krug); (3) Have real people check out your designs before inflicting them on your poor users.

Thursday, April 12, 2007

Passwords & misinformation...

I continue to be amazed at the number of ways that people can botch signups for online services, and Dr. Dobb's Life 2.0 conference just reminded me of that.

You go to their site to register for this free conference, and you have to give them a password. The first question is "Why?" There's certainly nothing private about registering for a conference that I can see, but what the heck, I'll give them my password.

The instructions clearly say:


so I carefully type in my usual "non-secure" password which has a special character included (old habit of putting in something a little less guessable, and the one I commonly use for these kinds of "Who cares?" registrations) and attempt to move on.

Up comes a dialogue box that says "Blah!"

yep, you read that right: "Blah!"

Hardly what I'd call a user-friendly response to a perfectly reasonable password that has been accepted by maybe 95% of the websites that I visit. After I click "OK" on this message (not what I would really like to tell them, but that's my only choice), they finally display "Password invalid! Please re-enter".

Notice that they don't tell me what's wrong with my perfectly valid password... just that it's wrong and I should try again.

(Un)Fortunately, I've learned that some sites -- like Dr. Dobb's site -- just don't get it when it comes to passwords. They:
  1. Don't give you good instructions on how to enter your password.
  2. Make poor decisions about what is an "acceptable" character in a password.
  3. Don't give you good instructions when things don't work as expected.
What's ironic and a little said is that their "minimum 6 characters" is almost certainly based on the idea that longer passwords are harder to guess. That may or may not be the case, but not allowing special characters makes them easier to guess.

And just why is a special character (a few sites have only a few special characters that they don't allow... go figure!) not allowed anyway? It's not like a password is going to be 'executed' and thus open the door for some kind of hack... that is true isn't it Dr. Dobbs?

Too bad... it shouldn't be this difficult!

Monday, March 19, 2007

Start with a good story

Today was a good technology day... nice way to start this blog. I've got an HP LaserJet 3055 All-In-One printer and have been fairly happy with it. Besides printing/copying, I use it pretty heavily for scanning articles, images, drawings, so that I can save them and/or email them to business associates.

Well, today, it stopped scanning for no apparent reason. Now this is actually not a good thing -- why does working technology just stop working? Not very reliable... but that's another story.

I did my own troubleshooting but got nowhere. So I went to the HP website, found the InstantSupport links, and eventually found the "Live Chat" option. [Note to HP: The pages were so busy that I really had to search for what I wanted... much more challenging than it should be. Krug's book "Don't Make Me Think" would be a good resource.]

Having finally found the Live Chat option, I expected the frequent drill on these sites of answering tons of questions -- the interview checklist, if you will -- before I could get into the meat of solving the problem. Pleasantly enough, there were only a very few questions and a couple of quick tests and I was directed to a download to "Fix scanning" -- and it did, first time.

The most difficult part of the exercise was moving the printer to get the Part Number. The configuration printout from the device amazingly doesn't show this! [Another Note to HP: Put this information on the printouts, please.]

Total time to solution: less than 15 minutes. Congratulations, HP!