Website passwords are becoming more of a problem, as more of us use a wider number of sites to conduct our daily business transactions. The issue is that the security filters to recover lost passwords are seriously broken, and are biased towards people that frequently return to sites. But think about it. The more often you visit a site, the more likely you are using (hence remembering) the password. The very users that password recovery systems are supposed to help are left in the cold. People's electronic lives aren't static, and the password recovery programs can't keep up as we move about the physical world, change e-mail addresses, and forget which piece of critical data will be used to authenticate our electronic personas.
Consider this situation from one of my correspondents, an experienced computer scientist. She was recently asked to login with her username and password and couldn't remember either when she went to buy something at eBay.
She rooted around the site, and found a place where the site can e-mail her the username. Great, we are cooking now. But wait: the site still requires a password, and she still didn't remember it. Now she hits a roadblock. Instead of e-mailing it to her, or resetting it to a one-time use, the site has security procedures to ensure that she really is who she said she is.
My friend had to answer three questions correctly. Here is her internal dialogue when presented with these questions:
1) Mother's maiden name. "Gee, did I really give her last name? Or did I use her first? Or middle? Or maybe initials?"
2) ZIP code. "It's been a long time since I ordered from here. I've moved twice recently. Which ZIP code did I use to set up the account?"
3) Primary telephone number. "Is that my home phone from two houses ago, one house ago, the current one, work, or cell?"
Of course, she never gets the correct answers to these questions. (She also complains about the choice of questions: "Where did they get those secret questions? I don't have a pet, I don't remember what street I was born on.")
So she tries to set up a new account, but, WHAM, the site won't let her, claiming she is already a registered user at that e-mail address. Why doesn't she just use a different e-mail address? Apparently, she thought of that in the past, because, try as she might, all of her choices of alternative e-mail addresses are already taken.
So now my friend tries to contact a human. No telephone numbers are listed on the site. But there was a button called "contact customer service." When she clicks on that, the site requires her login. Clearly, that's not going to work. There is a bunch of online help, but it all requires one to "type your username and password." This is online help that’s not very helpful.
Eventually, she gets an e-mail from someone in support. But they tell her that they can disable an account but then that e-mail address can never ever be used to do business with them again, even if that domain name goes to someone else and the e-mail address gets given to a new human. That unfortunate human will mysteriously never be allowed to do business with them ever again. Maybe that is a good thing, given the state of this registration system.
I don't mean to pick on eBay (well, just a little); the problem is definitely widespread. I forget my own passwords and usernames on a couple of sites that I don't use all that frequently. And I even forgot a username on a server that I was setting up in the lab last week! And I even forgot my own eBay credentials this past week, coincidentally. My usual way to remember them is to consult a crib sheet that I keep in a semi-safe place that lists all the combinations that I currently use. That is pretty pathetic.
How many things are wrong with this picture?
First off, merchants should not force us to allow them to store personal information about us. We should have the choice of what information we want them to store, and if we want to type in our credit card numbers for each purchase, that is our right. While it is nice that they are so considerate of our time and offer to save us the tedium of typing in this stuff every time we buy something, some of us wish to do this for privacy and safety reasons. How many databases of various ecommerce sites have been compromised? Merchants ought to be willing to not keep a database on us, if we ask. That also goes for asking for additional information, such as a home phone number. Why should anyone have to provide information that isn't relevant to the buying process?
Second, if they maintain a database of our personal information, merchants shouldn't require us to remember yet another name and password in order to access the site. Many sites provide an option not to login in order to buy something. The merchant can always match up our last order by comparing against our e-mail address.
Finally, if a merchant insists on us having an account, it should make things painless if we forget our names and passwords. We ought to be able to start fresh whenever we want. Or perhaps they should send us e-mail that allows us to wipe out the account, or reset it so that we have to re-enter a valid credit card number. It is no risk to the vendors. Storage is cheap.
Ebay's system is not only anti-consumer, it's also against its own interests. It should not make it difficult for a willing customer to buy something. As I have said before, make it hard for your customers to buy things over the Web, and they will go away. We need better registration and authentication systems, and to make things simpler for forgetful users to finish their transactions and get their goods.
Because of overzealous filters, some of you might have missed last week's essay about middle school entrepreneurs. You can read it here:
All of my Web Informant essays are archived on my site, by the way, for your reading and re-reading pleasure.
Entire contents copyright 2004 by David Strom, Inc.
David Strom, firstname.lastname@example.org, +1 (516) 562-7151
Port Washington NY 11050
Web Informant is (r) registered trademark with the
U.S. Patent and Trademark Office.
ISSN #1524-6353 registered with U.S. Library of Congress
If you'd like to subscribe (issues are sent via email),
please send an email to: