Thursday, May 05, 2005

Usernames are not Passwords

Why do places insist on applying complexity rules to usernames, in lieu of applying them to passwords? That is just stupid.

I'll let you in on a little secret, making me have an 8 character username with an upper-case and lower-case letter, a number, and a special character does no good if my password is "steve".

All you've accomplished is making sure that the user has to write down their username, instead of their password, in order to sign into your site. And no one is trained to protect their usernames, only passwords. And most people aren't even good at that.

So, assuming I don't write the username down, and don't let the browser remember it for me, that just means I have to click the 'I forgot my username' link once a year when I want to use your site, because I forgot that on your site only my username is $tupidS1te. Instead of a normal username that is good enough for banks, health information, paying my bills, and everything else on the Internet.

Except when I follow that link and answer the 'validation question', you're experiencing technical difficulties and can't send me the username. Congratulations, your site is so secure even the legitimate user can't use it.

If Password Corral didn't exist I would never be able to login anywhere.

No comments: