How much of this can a well-read usability professional take before she goes on a rampage, tearing down buildings?

There is an email from my HR system. Someone uploaded a document into my file. I get an email. The document is identified by a code name that means nothing.

I have to login to see it.

Except the system doesn't use my user name, my badge number, or my social. It uses a special unique login.
Which I have to put my name and social into another page (which they give the URL for, but do not actually link to) to get my user id.

So I go get that.
And am, of course, asked for a password. A password I haven't seen or used in 11 months. A password which no rules are given on the page about what it might be.

So I ask for a new one.

Here's the email I get back:

-----Original Message-----
From: satan@wehateyou.com

Sent: Tuesday, October 09, 2007 11:20 AM
To: Me
Subject: New Password Request Notification
Your new Password is as follows:

Please login using this new password. Once logged in, you will be prompted to change this password to a password of your choosing.
The new password must be at least 8 characters in length, contain an upper case letter, lower case letter, a number, and a special character.
If you have questions or problems please email them to satan@wehateyou.com.

Yes, that's right. In order to use this system once a year, I am expected to memorize a code number for my login that is 8 digits long, as well as a unique password that is 8 characters long, has a capital, a little letter, a number AND a special character.

And the security industry wonders why people write this crap down on post-it notes????

Previous posts about this specific issue:


Anonymous said...

That's not a security problem, that's an identity management problem. If they had the system set up to share identities with an authoritative LDAP source, you wouldn't have to remember a million passwords.

In the meantime, may I recommend to you the free tool that everyone should have on their computer?


Yet Another Girl said...

a)Our enterprise security rules forbid the use of password collection tools. And really, they should, IMHO.

b)This is a case where time and time again you see designers not standing up and saying, "This system will be impossible for our users. We MUST find a way to make a secure system that also takes the users into mind."

The particular systems I've posted about to a one feel, as a user, like there is no concept of user needs at all (They didn't even use an href on the link to get the user name!).

As designers and managers we fail when we allow security to run roughshod over the process without asking intelligent questions (like: isn't 3 of the 4 character types enough?) back.