Here’s a thing: all software vendors and all websites assume they’re at the centre of your universe. Most of them are wrong. Why do I say this? Because they make it so astonishingly difficult to use their products and services infrequently.
Observation 1: software updates
If you use a given computer, or other device, every day then keeping it up-to-date is a manageable, if irritating, chore. If, on the other hand, you use it once a month, or once a quarter, it’s more of an issue. The problem isn’t only the appalling bloat in software that means – for example – that the last time I picked up a spare laptop it had 3.2Gb of updates pending for Microsoft product alone; it’s the insistence that you update before you can use the product. It was working before; why can’t I choose whether to update it? If you have to, make me agree that it’s my risk. Tell me I can’t call for support if I don’t update. Fine. But don’t make me late for a meeting, or a train, because I assume I can just pick up a tool and use it. And for Pete’s sake – if you do insist I update, work this out before you let me do anything. Don’t let me get all the way there, then tell me I need to update.
Observation 2: password policies
I’ve blogged about this before. But it’s getting ridiculous.
Firstly, if you run a web shop, don’t make me set up an account before I buy something. Maybe I’ll never need to buy anything from you again. Maybe I just won’t want to. I don’t have to have a loyalty card to shop at the grocery store. Why is this a problem? Because the next time I use your store – six months later – I have to remember whatever password it was I came up with last time. And I can’t. I can’t set up another account, because like good little acolytes of Codd you’re using my email address as a unique identifier. So I ask for a password reminder. Which eventually sends me a link to reset my password. So I do. Which also resets my basket; or it expires because it took you so long to send me the password reset email in the first place. So now I’m back to square one.
Secondly, if for some reason you choose to ignore this advice, don’t use password complexity rules designed to protect the crown jewels. Why do people do this? “Your password must be at least eight characters long and must include at least one upper-case letter, one number and one special symbol”. To protect what? The fact that I once bought £3.50 worth of lightbulbs and had them shipped to my house? Why? My address is a matter of public record. My taste in lightbulbs is uncontroversial. The world is full of people tweeting every intimate detail of their lives – why are you working so hard to protect my shopping habits? It just guarantees that I will either write the password down somewhere – rule #1 of password no-nos – or use the same password everywhere – that’s rule #2 – or forget it. Unless you’re storing my credit card details – in which case, why not offer me the option not to have those details stored? – or there’s really good reason to assume that hacking my account would be a worthwhile activity, why not just allow simple passwords? Or use passphrases, like sensible people do. Or just don’t require me to have an account at all.
Security is expensive. It takes time and effort on the part of the provider, and demands time and effort from the user. Don’t waste your time, and mine, on providing the appearance of security in defence of largely worthless data. I’ll be much more reassured if you use simple passwords, but have proper SSL certificates, a fully-patched webserver and your databases are encrypted. Hello, eBay – encryption of user data – that’s a thing now, right? Don’t try to push the responsibility for security onto the user.