Silicon Glen, Scotland > Web usability

How to design a website without the need for usernames that people forget

Usernames. Why do we need them to log into websites?

OK. Your pet dog is called Fido and you fancy it as a username for logging into a website. Maybe your surname is Smith or Jones or MacDonald and you fancy that instead? What about the name of the town you live in? Maybe your favourite username is your surname with your first initial? How much do you want to bet that with 50 million people on the internet that you'll get any of the above and be able to remember which one? No doubt you'll end up with Smith653 or maybe Fido94 or something memorable like JSmith123FidoNewYork. Ha! Bet noone's got that before. Bet you can't remember it though :-(

Worse, many sites restrict the username to a certain minimum length, a certain maximum length (CraigCockburn is too long for some) and force you to have a letter and a number and your name can't occur within the username and if you have a surname like mine you can't use it at all. Yes indeed, Cockburn is not allowed as a name in HotMail because of the first four characters in the surname, I have to use C0ckburn instead, as if that is going to make any difference to the pedants.

Look, lets get back to basics here. Usernames were great back in the 1970s when you connected up to a mainframe, there was no web or cookies and you used the machine to identify youself to that specific machine. These days, the equivalent use would be logging into your Internet Service Provider. However, once you're on the internet, you already have a unique ID, namely your email address. So what not use that? After all, I use my email address all the time, across multiple websites and it's unique. Why force me to have another "unique" login on a website which conforms to different rules, the memorable ones have all gone and it's something else I'm going to have to remember (or forget).

Bizarrely, nearly all of these sites have a facility to be sent your login details by email, presumably because of the problems above and so many people forgetting the strange combinations they were originally given as a username. So, you can request your password by email and even your username if you forget that, allowing you full access to the site. What's bizarre about that you ask, it sounds really useful? Well, there's a lot of sites out there who are paranoid about email and how insecure it is and why they would never send anything by email, yet there are others out there who are quite happy to send all your login details by mail and don't seem to have a problem with it. Furthermore, if you can use these details to log in, why did they bother to create a username in the first place if they have an alternate sequence for logging in by retrieving your email address and password in an e-mail? Sounds like they've just invented an addition layer of login nonsense which people had to code for the website, users are likely to forget whilst all along you still have the email address to fall back on anyway.

Now it's OK if you need a username to be able to set one up once you've logged in, eg for a chatroom, but that's a different matter - the login sequence is still memorable and the username becomes something available to you once you are logged in rather than something necessary to gain access in the first place.

OK, so you have an email address as a login. Now what? Well email addresses sometimes change and if you've studied databases past Basic Database Design for Complete and Absolute Beginners you'll know it's probably not a good idea to make something that could change into a fixed single column Primary Key. Primary keys are something which databases need to find rows in a table efficiently and are usually hard to change if you have foreign keys and aren't using cascade updates or deletes. But there's no need to burden the users of your website with that though, they just want to log in easily. So allow users to change their email addresses if they use it to access your site. Amazon does.

Logins to websites can be as simple as Yahoo, Hotmail and Amazon or as complex as many banks seem to think is necessary. Strange that the bank logins are many orders of magnitude more complex than accessing the same information to the same bank over the phone. Bit like having 100 locks on your front door but only 2 on the back door - your back door is the weakest link, OOPS. Anyway, back to those logins you were reading about. Accesing a site is only about two things - one is you claiming to be someone and the other is verifying that you are who you claim you are. It's important to realise this - the first claim is the one which will set off any lockouts if the second claim repeatedly fails. So if your bank uses usernames, and someone else tries to use yours unintentionally then you'll get locked out of your account because of their attempts. Whereas if the bank used email addresses as the first stage in conjunction with an internal username then the combination of email and username is guaranteed to be unique, you can get a username you want and it's much less likely someone will accidentally try to login as you.

So maybe the next time you have a login sequence, make it start with an email address (which can be changed), add a password and then think about additional security as appropriate. That way we're all much less likely to forget the myriad of usernames we have across different websites. And give people clues: e.g. This field has to contain a letter and a number, or Your password is at least 5 characters etc. That way the user's memory is jogged and they don't get frustrated at not being able to log in. Egg have quite a good login sequence as a rough model to follow, however their login mandates using a mouse to work the drop lists, something which may cause a problem for disability access requirements.

Craig Cockburn created this page on 25-Nov-2003 at 21:53:30