follow me on Twitter
StarF*#ked. (or, how not to handle forgotten password recovery flow during a massive promotion)
to whomever can promise i never have to enter forgotten password flow ever again:
(screen capture while trying to register my acct/card to get free wifi @ Starbucks)
thank fuck you very much, Starbucks.
ps - i used to work at PayPal for three years, and we dealt with this same painful bullshit every single goddamn day. and it was TOTALLY our fault, not the users. yes they're dumb as doorknobs, but so were we: our acct creation flow & password recovery flow sucked ass.
so does Starbucks. so does everyone's.
i will say it again: mainstream america's #1 problem is NOT
very subtle difference, but understanding that subtlety and all that lies therein is the first step towards designing the appropriate solution.
Man, I can only give you my condolences. I talk to teens almost every day about tech and they would agree (and have even fewer brain cells to dedicate to the process).
They don't get why they have to enter the same info across all devices. They just want to sign in once regardless of what device they are using.
Yet, if we allowed it, I am sure they would sum up the problem as you did. Quite eloquent. Sometimes that word does just say it all.
Posted by: Jen Carole | Tuesday, June 03, 2008 at 09:25 AM
Eloquently put.
I essentially agree with you, which is why we need to work on solutions that obsolete password entry altogether. They're a holdover from days past. And when we talk about OpenID, nowhere does OpenID specify how you do authentication, it only specifies the protocol for making a claim.
Therefore, it may be part of the solution, it may not be. At least companies (like my new employer) are experimenting with different, possibly more benign, means of authenticating.
I agree through, the Starbucks experience is retarded.
Posted by: Chris Messina | Tuesday, June 03, 2008 at 09:25 AM
Totally agree. Especially after spending hours trying to get back into Yahoo for the first time in about 2 years, simply because they merged the login with mybloglog.
Posted by: Dan Thornton | Tuesday, June 03, 2008 at 09:44 AM
hilarious. and well put.
Posted by: Stacy O'Connell | Tuesday, June 03, 2008 at 09:51 AM
As someone who has changed password algorithms so many times, I just stand up and cheer for you. Go Dave.
Posted by: Brad Feld | Tuesday, June 03, 2008 at 10:49 AM
too bad they don't support OpenID sign ins, then you could have signed in using an existing account that you already have, without having to remember yet another username and password.
Posted by: atom | Tuesday, June 03, 2008 at 11:01 AM
So which website does it right? Send an example and I'll do it on our site at least...
Posted by: sprfrkr | Tuesday, June 03, 2008 at 11:22 AM
You probably already know this...BUT...AT&T has taken over Starbucks WiFi, which means if you were able to access with, say, T-Mobile, that account will no longer be available.
If you have AT&T (or Bellsouth.net) email or a $59.99 wireless data plan or higher, use your login for that and you should be good to go.
Posted by: TeddGCM | Tuesday, June 03, 2008 at 12:19 PM
So many developers forget to design applications for when things go wrong.
Posted by: Nick Gonzalez | Tuesday, June 03, 2008 at 12:29 PM
I use the same password for all sites that don't involve being able to get to my money. Why not?
Posted by: John Cowan | Tuesday, June 03, 2008 at 02:29 PM
Ditto sprfrkr, who does it well?
What are some answers? Here's a start:
+ NOT OpenID
+ no non-standard usernames
+ tell user if the username is an email or not
+ no non-standard password rules (i would be satisfied with 6+ alpha-numerics for just about everything)(6+ alphas ok for weak?)(8+alpha-numerics ok for strong?)(no capitals, no special chars)
Posted by: pwb | Tuesday, June 03, 2008 at 03:36 PM
what about sxipper http://www.sxipper.com/welcome
Posted by: tom | Tuesday, June 03, 2008 at 04:00 PM
And this is exactly why I've been using Passpack for a year. If they had a mobile version, I'd totally marry them.
Posted by: Cyndy Aleo-Carreira | Tuesday, June 03, 2008 at 04:33 PM
What's my login to this damn blog again??
Posted by: dorf | Tuesday, June 03, 2008 at 05:31 PM
Very expressive post eh? Either way, you have a point. We feel your pain!
Posted by: Social Marketing Journal | Tuesday, June 03, 2008 at 06:22 PM
I might be wrong at why you're pissed off, but it seems like the error messages might be intentionally vague so as to reduce the ability for attackers to guess usernames.
Posted by: Greg | Monday, May 04, 2009 at 09:29 PM