My Photo

Pages

Recent Posts

Categories

« AppNite Geek Discount for Graphing Social Patterns East (DC, 6/9-11) | Main | World of Wifecraft »

Tuesday, June 03, 2008

StarF*#ked. (or, how not to handle forgotten password recovery flow during a massive promotion)


StarFUCKs.
Originally uploaded by davemc500hats

to whomever can promise i never have to enter forgotten password flow ever again:

PLEASE ENSLAVE ME NOW

(screen capture while trying to register my acct/card to get free wifi @ Starbucks)

thank fuck you very much, Starbucks.

ps - i used to work at PayPal for three years, and we dealt with this same painful bullshit every single goddamn day.  and it was TOTALLY our fault, not the users.  yes they're dumb as doorknobs, but so were we: our acct creation flow & password recovery flow sucked ass. 

so does Starbucks.  so does everyone's.

i will say it again: mainstream america's #1 problem is NOT

"data portability" or some mistaken notion of privacy management or keeping my personal info out of the clutches of Microsoft, Facebook, Google, or anyone else.

rather, it's:

"fuck, i forgot my password". 

very subtle difference, but understanding that subtlety and all that lies therein is the first step towards designing the appropriate solution.

Posted by on Tuesday, June 03, 2008 at 08:41 AM in Dave, Friends, Family, Fun, Funny, Silly, Geeks, Tech, Startups, Marvelous Marketing, Social Networking & Social Media |

Tags: data portability, forgotten, password, paypal, starbucks

|

Comments

Greg

I might be wrong at why you're pissed off, but it seems like the error messages might be intentionally vague so as to reduce the ability for attackers to guess usernames.

Posted by: Greg | Monday, May 04, 2009 at 09:29 PM

Social Marketing Journal

Very expressive post eh? Either way, you have a point. We feel your pain!

Posted by: Social Marketing Journal | Tuesday, June 03, 2008 at 06:22 PM

dorf

What's my login to this damn blog again??

Posted by: dorf | Tuesday, June 03, 2008 at 05:31 PM

Cyndy Aleo-Carreira

And this is exactly why I've been using Passpack for a year. If they had a mobile version, I'd totally marry them.

Posted by: Cyndy Aleo-Carreira | Tuesday, June 03, 2008 at 04:33 PM

pwb

Ditto sprfrkr, who does it well?

What are some answers? Here's a start:
+ NOT OpenID
+ no non-standard usernames
+ tell user if the username is an email or not
+ no non-standard password rules (i would be satisfied with 6+ alpha-numerics for just about everything)(6+ alphas ok for weak?)(8+alpha-numerics ok for strong?)(no capitals, no special chars)

Posted by: pwb | Tuesday, June 03, 2008 at 03:36 PM

John Cowan

I use the same password for all sites that don't involve being able to get to my money. Why not?

Posted by: John Cowan | Tuesday, June 03, 2008 at 02:29 PM

Nick Gonzalez

So many developers forget to design applications for when things go wrong.

Posted by: Nick Gonzalez | Tuesday, June 03, 2008 at 12:29 PM

TeddGCM

You probably already know this...BUT...AT&T has taken over Starbucks WiFi, which means if you were able to access with, say, T-Mobile, that account will no longer be available.
If you have AT&T (or Bellsouth.net) email or a $59.99 wireless data plan or higher, use your login for that and you should be good to go.

Posted by: TeddGCM | Tuesday, June 03, 2008 at 12:19 PM

sprfrkr

So which website does it right? Send an example and I'll do it on our site at least...

Posted by: sprfrkr | Tuesday, June 03, 2008 at 11:22 AM

atom

too bad they don't support OpenID sign ins, then you could have signed in using an existing account that you already have, without having to remember yet another username and password.

Posted by: atom | Tuesday, June 03, 2008 at 11:01 AM

Brad Feld

As someone who has changed password algorithms so many times, I just stand up and cheer for you. Go Dave.

Posted by: Brad Feld | Tuesday, June 03, 2008 at 10:49 AM

Stacy O'Connell

hilarious. and well put.

Posted by: Stacy O'Connell | Tuesday, June 03, 2008 at 09:51 AM

Dan Thornton

Totally agree. Especially after spending hours trying to get back into Yahoo for the first time in about 2 years, simply because they merged the login with mybloglog.

Posted by: Dan Thornton | Tuesday, June 03, 2008 at 09:44 AM

Chris Messina

Eloquently put.

I essentially agree with you, which is why we need to work on solutions that obsolete password entry altogether. They're a holdover from days past. And when we talk about OpenID, nowhere does OpenID specify how you do authentication, it only specifies the protocol for making a claim.

Therefore, it may be part of the solution, it may not be. At least companies (like my new employer) are experimenting with different, possibly more benign, means of authenticating.

I agree through, the Starbucks experience is retarded.

Posted by: Chris Messina | Tuesday, June 03, 2008 at 09:25 AM

Jen Carole

Man, I can only give you my condolences. I talk to teens almost every day about tech and they would agree (and have even fewer brain cells to dedicate to the process).

They don't get why they have to enter the same info across all devices. They just want to sign in once regardless of what device they are using.

Yet, if we allowed it, I am sure they would sum up the problem as you did. Quite eloquent. Sometimes that word does just say it all.

Posted by: Jen Carole | Tuesday, June 03, 2008 at 09:25 AM

The comments to this entry are closed.