Forget your password?
It may is fairly basic functionality on most sites and apps that require membership, but it is one of the most important features available. We all have dozens of passwords that we need to remember daily - many are variations upon one or two. And its hard to remember which one you used where. Most people forget their passwords at one time or another. I constantly forget. This feature is my best friend.
I flew on Spirit Airlines Sunday. And because of the nature of Spirit, I really wanted to check-in online Saturday night and avoid a number of fees. However, I forgot my account password.
I thought: Have no fear, password assistance is here!
So I clicked on the "Forget your password?" link, entered my email address, and then got a pop up window/layer thing I needed to click again -- a two-step process. Why would anyone do this? Jef Raskin would turn over in his grave to see this. So unnecessary.
Did you see the message on the screen - Wait up to 30 minutes for an email?
Up to 30 minutes to change your password?
A question to the developers: why could it take that long to generate such an email?
Anyway, I got frustrated and called support to see if I could maybe make some headway there with my password issues. I only called to get a recording and hear that it could take up to an hour for the email.
An hour? Seriously?
So I stopped trying to get a new password on Saturday night, and therefore stopped trying to check into my flight for Sunday. I figured I would try again on Sunday morning when my patience was refreshed.
Sunday morning I got a bunch of emails from Spirit to change my password, none of those passwords worked, so I tried the "Forgot your password" 2-step business and I got an email in 3 minutes this time. Awesome!
I used the password and got to a screen where I could enter a new password - awesome!
I tried entering an all text password (there are no password rules or any indicator that the password needs to be secure), and unfortunately, I had a typo in one of my entered passwords. This is where the infinite loop started and I got massively confused. I saw this screen as my error message:
How did I get here from where I was? A mystery!
So I used the password that I knew got me to the next screen and tried again. And again. And again. I went in this infinite loop, until I tried a password that come to find out was what I used previously and then got this:
ACK!
This is no longer security - this is just pure madness! Give me instructions for what makes a good password and stop making me guess already!
I finally got out of the infinite loop and could carry on with my life. I doubt that account will be dusted off and used any time soon after this experience.
5 lessons from Spirit's site:
- A user should receive a password retrieval email in 5 minutes or less. There is no excuse for a system to take 30 minutes to auto-generate an email.
- Provide password guidance. Sites that don't do this frustrate their users and they will go away. There is no harm in including an error message or a line of instruction to let the user know what is expected. A rule is a rule - and we all want to uphold good security. But when you don't tell us, it becomes a game of trial and error - and no one has time for that.
- Put error messages on the screen where the error is. (I know, basic, but need to say it.) Error messages should be near the error, otherwise, the user will get confused and not understand what he did wrong.
- Infinite loop scenarios are discouraging and confusing. Guide the user to complete the task. The system's structure shouldn't be first priority. Users are giving you money to use a product/service - their needs should be first. Systems don't pay the bills (last I checked, they created them.).
- Pressing the return/enter key should have the same function as selecting the submit button on a form. (Another basic principle.) This is pretty standard, but for those of us still on keyboards, we don't switch between taps/mouse clicks and the keyboard unless needed. An enter key should do the trick if a user is filling out a form (tab between fields and enter/return to submit the form). The desktop system isn't dead yet - and won't be for a while - so designing purely for taps and mobile isn't a wise choice.