Registering on a website presents a different challenge at every single domain. Even within Microsoft’s sites, I’ll bet we have 12 different ways to register for a site. Here’s a list of my recommendations for website developers on what you should have in mind for your users during registration.
[I understand that each site has a different security need. These are general recommendations that should apply to everyone. Add spice as needed.]
1) Make your username and password requirements reasonable.
Most people like to use the same username everywhere. Why would you ever set a length limit on usernames and passwords? I encountered a site the other day that only allowed me to have a password that was 6 characters long. No more, no less. Oh, and special characters were NOT allowed.
I would encourage everyone to require a letter, a number, and a special character. If I want my password to be 40 characters, why shouldn’t I be allowed to? (And for those of you that want to start down the SQL injection path, YOUR CODE should be handling for SQL injection. Not the length of your textbox.)
2) CAPTCHAs are a good idea.
There are many malicious people out there writing malicious programs. Make sure that your user is human. Plain and simple.
3) Do you need a security question?
Picking questions for your users to answer can be tricky. As a user, I don’t want to give you any personally identifiable information. That includes where I was born, my mother’s maiden name, my elementary school, or anything else. Let me write both the question AND the answer. It just makes more sense. Then I can use:
Are security questions secure?
In addition, do not require your user to remember which question they chose to answer. How arrogant of you to think that they’ve retained that kind of information for recall. If they can’t remember their username and password, what makes you think that they are going to remember which security questions they answered, let alone what the answer to that is? Make it easy for them.
4) Provide the user with feedback, not a postback.
How many times have you filled out the entire registration form, only to find out that the username you wanted is already taken. And now you have to fill half of the form out again. Annoying. How about AS I type in my username, you cornfirm for me that the username is available. Seems like a little bit of code and some AJAX transport should do the trick. Speaking of feedback, the only thing more annoying than my previous example is when you don’t tell me your password requirements until after I submit the form. If I knew them BEFORE I started typing, I wouldn’t be presented with another step when I get it wrong. Just like an auto-confirm on username, give your user feedback about whether their password conforms to your security requirements. Even if your requirements are ridiculous (see #1).
5) Don’t collect everything up front.
When someone is registering for your site, what do you actually NEED from them? Username, password, email. That should really be it. If you’re doing finances or something super-important like that, perhaps SSN or account number would be appropriate. You don’t need the 100 other things you want to ask. Like address. Or favorite movies. Or anything else. Make registration for registration…not populating your entire database. Once you’ve gotten them registered, however, the sky’s the limit. Give them the ability to fill out a full profile, with picture, personal likes and dislikes, contact information, etc. You can even remind them to fill it out. Just don’t require or even try to collect it during registration unless you absolutely NEED it.
6) Track the traffic through your registration funnel.
If you’ve got a forgot password page that gets a ton of traffic (like greater than 20% of your entries), figure out why, and fix it. (Giving users better instructions around your technical problems IS NOT FIXING IT. Users don’t read.) If the “edge case” pages of your registration system are getting a bunch of traffic, you’ve done something wrong. Not everyone is going to make the perfect path through your registration and login pages. But not everyone should have trouble making the perfect path either. Follow the 80/20 rule. If more than 20% of your users can’t conform to your password requirements, maybe they don’t understand that regular expression you gave them in the instructions. 🙂
This was a quick list of tips for making registration easier for your users, not for the developer creating the pages. Applications should ALWAYS keep the user in mind, and if that makes it more difficult for the developer, so be it. You have to build it once, so that thousands (or hopefully millions) of users can register on your site efficiently and effectively.