I think the terminology you use is confusing two separate concepts out there.
First is the "password hint." This is typically a phrase that will jog one's memory of one's actual password, like "my first dog's name with a hyphen in the middle." Second is a "secret question and answer." This is typically used to let a user reset his password when it's forgotten, and will often be coupled with an e-mail message sent to the address tied to the account. The security community has roundly rejected this practice -- all you're doing is letting your users have an insecure password. http://www.schneier.com/blog/archives/2005/02/the_curse_of_th.html A great deal of people could find out my mother's maiden name, father's middle name, etc., and at least 30 classmates of mine know who my first grade teacher was. When it's coupled with e-mail, it's a bit safer, since you'd also have to intercept my e-mail account to confirm the change. I work with personal health data, so we try to be very careful with account security. If you're designing a system that won't hold any sensitive information, a weak security scheme probably won't raise any red flags. -Jon On Thu, Jul 10, 2008 at 10:02 AM, Paul Trumble <[EMAIL PROTECTED]> wrote: > Steven, > > We had a form like that for several years where we only asked for the > password once. > > For a username we required an email address. I had it changed to include a > second box for confirmation, but the reason had nothing to do with typing it > incorrectly. > > I observed multiple instances in usability tests where the participant > interpreted it as asking for the password to their email account, which > caused tremendous abandonment of the process. We had always associated > abandonment at this point to be due to the email requirement, but a > substantial portion was because of the password. > > So we added a second password field which we think clarifies that we would > like them to create a password in relation to our site, and the data backs > that up. > > I don't know if you will find the same issue with a user-created username, > but since most people have usernames on multiple sites that might be the > case. > > I'm not a big fan of being a trailblazer, particularly when it's something > like a registration where the user will have very little experience with > your site. The more you can use their experiences on other sites to give > context to yours, the better off you are. > > Paul Trumble > > > > -- > The truth is more important than the facts - Frank Lloyd Wright > > http://www.trumbling.com/ > http://www.flickr.com/photos/paultrumble/ > ________________________________________________________________ > Welcome to the Interaction Design Association (IxDA)! > To post to this list ....... [EMAIL PROTECTED] > Unsubscribe ................ http://www.ixda.org/unsubscribe > List Guidelines ............ http://www.ixda.org/guidelines > List Help .................. http://www.ixda.org/help > ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [EMAIL PROTECTED] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help
