“Hi, my name is Werner Brandes. My voice is my passport. Verify Me.”
If you’ve seen the movie Sneakers(1992) you know this is the phrase Martin Bishop (Robert Redford) and his team of white hat hackers need to get into PlayTronics. In a wonderful bit of social engineering, they trick a scientist who works there into saying particular words so they can piece together a recording they can use to fool a voice recognition security system.
Leaving aside the pros and cons of using biometrics for security purposes, it’s impossible to deny that current technology has a user experience problem when it comes to userid and password creation. And no, it doesn’t have anything to do with long passwords vs. strong passwords1, though there are UX implications there as well.
I’m more concerned with the promises and betrayals of account creation forms and how we can improve them to create a better user experience for potential users.
Have you ever had this experience: You want to sign up for an account on some website or app. You fill in all the fields on the sign up form and submit it only to be rejected because your password doesn’t meet some criteria that weren’t listed anywhere on the form?
Now you’ve got to think of a new password, or worse yet, you have to refill all the information on the form?
I’m pretty sure you have, and the reason is most account creation forms are hopelessly broken from a user experience stand point: they make a promise (that you can have an account) but base fulfillment of that promise on unspoken criteria (hidden userid or password creation rules).
I want to look at a few examples from an admittedly very small sample set (sites I use on a regular basis) to highlight what’s broken, what can be better, and show how it can be done well.
Doing It Not So Well
The New York Times doesn’t provide password creation rules on their relatively simple sign-up form.
While they encourage social sign-up by presenting those options prominently, there’s no guidance here for a user who doesn’t have a Facebook or Google account, or who doesn’t want to hitch those accounts to the New York Times.
They also fail at error correction. Instead of providing correction in context, the Times site takes you to an entirely different page when you try to create an account with a password choice that doesn’t meet their rules.

Why this isn’t so good: Dislocating me from the context I was in when I tried to sign-up and forcing me to process where I now am in addition to the rules you want me to follow makes me think way too much for a simple sign up process.
Doing It Slightly Better

Account creation at Slate.com seems pretty straightforward…until you realize your super simple password doesn’t meet their criteria.
How do you know?
You entered it into the box and the form fussed at you that it was too short, something they don’t tell you until you’ve clicked out of the password box into the password confirmation box.
Why this is better: They provide this information in context, which helps with the user experience.
Even better UX would have been providing the information in the open before the user started to type.
Doing It Right


Apple does conveying password rules well.
They are clear, straightforward, and in context. Apple goes one better to improve the user’s experience by adding functionality that guides the her toward a password that meets the criteria by providing contextual feedback as she types the password.
You know who else does this in a way that meets basic usability criteria, and with maybe a little less style? Microsoft. Yep, that’s right.
[Insert Windows vs. Mac dogmatic argument here…I’ll wait…No…really, go ahead.]
The principle to follow here: simple and obvious often make for a better user experience.
Does a form look prettier without that helper text below the password or near the userid creation box? Maybe, maybe not.
But is user satisfaction worth sacrificing to make a form look marginally nicer? Probably not, especially if you’re trying to convert the casual user to a paying customer at some point in your relationship with him.
Think about how that satisfaction problem cascades:
- The user has to create a second password (and maybe fill in the form again depending on implementation)…
- this means it’s probable that the user will have trouble remembering that second password because in his mind he’s already fixed an association with your site with the first password he chose…
- which means that it’s likely the user will at some point have to interact with your password reset process…
- and what’s the user experience on that like?
The takeaway: if your forms have submission criteria, whether it’s for userid creation, password creation, or anything else, provide those guidelines to users in the open, in context so they know them before they start interacting with the form.
1 From Ars Technica: Password complexity rules more annoying, less effective than lengthy ones
Featured image: Abracadabra from Taleas.com, Copyright 2016 – Seth Black.