Join 3,554 readers in helping fund MetaFilter (Hide)


Great password reset UIs?
January 11, 2012 6:39 AM   Subscribe

Please share some great user interface examples involving password setup and password reset.

We're going to be overhauling our webapp, and one of the huge UI nightmares is our password setup and password reset process. It's fairly standard, but I know I've seen better out there in the wild.

Please share any links you have to either UI guides themselves that talk about password setup and reset, or live examples of sites with great UI surrounding this process.

I'm looking for things that give users live feedback about password selection with AJAX, make it really simple to reset a password if they've forgotten it or their account is locked, potentially with e-mail verification, provide clear messages and wording, visually appealing and functional design, etc., If you've seen anything that hits on any aspect of this, please share.

If you have some startlingly bad examples that might also be helpful in a "do not do this" kind of way.
posted by odinsdream to Computers & Internet (6 answers total) 5 users marked this as a favorite
 
Some examples from UI Patterns:

Account Registration
Screenshots of registration flow
Forgot password example

The examples are cross-linked and you can search from the home page.

Quora, "What are some great examples of a 'forgot password' UX pattern?" The Login Sequence diagram linked from the comments.

Quora, "What is the best user experience for resetting a forgotten username and/or password?"

Understanding Usability, "The password reset experience"
posted by kirkaracha at 6:57 AM on January 11, 2012 [1 favorite]


I'm a big fan of how lastpass deals with passwords, both for the site itself and the way it stores passwords for other sites.

I think the canonical example of what not to do is PayPal.
posted by dfriedman at 7:13 AM on January 11, 2012


Regarding lastpass; I appreciate their service and we use it extensively, but we're looking for UI options for a self-contained system, so no OpenID, or "Login with Facebook" or Google Apps, etc., as nice as those are.
posted by odinsdream at 7:15 AM on January 11, 2012


I found the user registration process at Rdio to be slicker than usual. In particular, it only asks you for your email address at first, and then combines the email confirmation step with the remainder of the registration.
posted by maxim0512 at 9:47 AM on January 11, 2012


Funny, just last week I noticed how slick that Facebook's password reset is if you use Gmail.
posted by rhizome at 12:14 PM on January 11, 2012


For me, the canonical "doing it wrong" account management belongs to Centrelink.

At present, I can't even exercise the "register an account" function from that page because all paths through the maze end up at a "successfully logged out" page. That may change tomorrow.

Resetting your password can only be done if you have previously created at least three "security questions" (of which you can create up to twenty IIRC). Why you need three is mysterious to me; you only have to get two of them right.

Passwords must be exactly eight characters, are checked to make sure they contain at least one lowercase character, at least one uppercase character, and at least one digit. And if you try to use something like KeePass to create these and then paste them in, you get a pop-up window about functions being disabled and your clipboard gets cleared; persist, and you eventually get the option not to be told about that again, at which point pasting starts to work. But if your new password fails validation, the anti-paste pop-up thing starts again.

And if you have created any security questions, you need to answer one of them correctly on every logon attempt. And there's a minimum-length limit on security question answers too, so it's just too bad if your first pet's name was "Rex".

Other terrible practices I've seen from other sites:

- sending emails including your password in plain text (variations: do this for initial passwords only, not for password changes; do this for "temporary" passwords after password resets; do this for password recovery, indicating that the server is holding your actual password rather than a salted hash of it).

- no way to change password after logging in - closest is a "forgot password" facility available only before logging in (Simply Energy's old web site did this).

Best account-creation facility I've ever used is Google's. About the only thing wrong with it is that the password strength meter is far, far too lenient about what it considers "strong"; there's clearly no attempt at all to derate passwords containing dictionary words.
posted by flabdablet at 5:56 PM on January 11, 2012 [1 favorite]


« Older I want to take a ferry from Sh...   |  How is it that a tiny housefly... Newer »
This thread is closed to new comments.