16 Nov 2012

It’s always interesting to see that often one of the commonest needs from customers of many companies is “I want to change my password”. It’s often costing millions to handle the problems associated.

But even if you’ve automated the process completely, it’s still causing huge amounts of customer effort. Now that many people “work, rest and play” in the cloud, we’re using maybe a dozen sites every day and a myriad of others from time to time.

Just today I’ve used passwords on: 2 hotel chains, 3 airlines, 3 social sites, 1 blog, 2 websites, finance system, CRM system, 2 telcos ….. there’s a Xmas carol there somewhere!

Some companies are brilliant at it – first direct for example. And you can hardly call it insecure.

The only small point on theirs is the online and telephone passwords had to be different lengths. But it gets the rest right.

Whilst I evidently want protection, I want it such that my stuff isn’t protected from me. first direct shows it can be safe and simple at the same time. Here are a few of my favourite pet hates as I waste effort trying to access my own stuff.

1) I want one password, not more. Consistency of passwords across channels – we’ve just covered that. using Linked In, Facebook or Twitter to log in makes it easier to sign up – but where is my data going after that….you need to state in big letters so I’d use them.

2) I want to pick my password. The formats shouldn’t restrict me from using symbols & numbers etc.  Many sites require you to use a number, some a symbol and a number so you end up with many variations. What would really help me remember is if the prompt were there about the required format when you log in, just as it is when you create the password.

3) Let me use passwords I can remember. I’ve just been made to create one with no dictionary words in it – that’s hard. Memory works on context and something that doesn’t allow context isn’t going to get remembered.

4) Don’t make me change them every five minutes. fd lets the passwords last, you dont have to change them every month. Some are insisting on periodic changes, where you cant use the last one. Luckily they don’t all do this or it’d be chaos in my brain.

5) If I lose my password, let me use ones I’ve used before. Some sights insist on fresh ones again and again, creating more and more likelihood you’ll lose your password.

6) Don’t add security that makes no sense. fd tells you what the supplementary questions are instead of asking you to answer a question without knowing what the question is, let alone the answer. O2 and HSBC take note. HSBC commercial have to go on and tell you the question anyway eg  “Give me two letters from your favourite question” “What?” ” It might be your mother’s maiden name…”

7) Don’t ask questions the customer is highly unlikely to be able to answer without logging on first eg the last two transactions on your bank account. Ask questions they can answer like your favourite place.

I could go on, but I’m sure I should be wikipedia-ing these usability rules as they’ve been refined many times, I’m sure. And I could be googling vaults to put my passwords in.

The trouble with security is that you don’t increase security by making increasing customer effort. The more layers you add, the more chance you cause the customer to make it weaker. By writing them down, or by having a file in their phone or computer with them all in, by having to look them up on a screen when they might be overseen.

So as the peak buying season approaches, why not treat your security policies to a quick review a la first direct.

Post a comment