 |
A project to make businesses more aware of their customer experience, and how to fix it. By Mark Hurst. |
| About Mark Hurst | Mark's Gel Conference | New York Times Story on This Is Broken | Newsletter: Subscribe | RSS Feed |
Search this site:
Categories:
- Advertising
- Current Affairs
- Customer Service
- Fixed
- Food and Drink
- Just for Fun
- Misc
- Not broken
- Place
- Product Design
- Signs
- Travel
- Web/Tech
Previous: Construction site sign | Main | Next: Fire extinguisher placement
June 2, 2006 12:03 AM
Broken: Lowe's password retrieval
A reader named Max points out:
Since Lowe's changed their online credit payment system to include these requirements: "must be between 8-15 characters, must contain at least 2 numbers, and the numbers cannot be at the beginning or at the end," I forgot my new impossible to remember password.
When you click on "forgot password" it takes you to the secret question page. You enter your answer and then it tells you the user name is required. What is broken you may ask?
Well I had entered my user name on the preceding page but that information isn't passed to the secret question page and nowhere on the secret question page is there a field to enter your user name.
Also I can't reset my password without knowing the old one.
Not broken -- those credit cards charge too much interest, so you are being discouraged from using them.
/me ducks
Now seriously, my hypothesis is that this is an over-reliance on cookies. I'm thinking that they wanted a cookie to carry the information forward from the previous page, and that you may have blocked some or all cookies.
Even if that is the case, it is still broken. If it wants cookies to be enabled, it should say so.
Broken
The Secret Question page must have a secret user name field, which can't be accessed without the ancient code that's hidden in the Mona Lisa's smile
And what is with all these requirements for your password... hate that
I think the most broken thing here is the excessive requirements for the password. 8-15 characters with numbers that can't be at the beginning or end is really hard to remember.
I once was using something that required punctuation in the passwords, not just numbers (like you had to add an ! or something), has anyone else come across this requirement?
I think the most broken thing here is the excessive requirements for the password. 8-15 characters with numbers that can't be at the beginning or end is really hard to remember.
I once was using something that required punctuation in the passwords, not just numbers (like you had to add an ! or something), has anyone else come across this requirement?
alcas, i once had a password that required at least one capital letter, at least one lowercase letter, at least two numbers, and at least one of the symbols on the number row. it was for my college email. because, you know, i really need to make sure no one else sees the email telling me class is cancelled.
Everything you mentioned is broken except this:
Also I can't reset my password without knowing the old one.
That's standard practice -- that's what prevents someone from happening upon an unattended computer and changing a password for their later use. Even Unix and Windows require the current password to enter the new password.
Yes, normally knowing the old one to change it is good security. The problem is when the old one is forgotten and you use an alternate system to get in. Most such systems change the password to something random and tell you what they changed it to but if the alternate simply lets you in you're forever stuck using the alternate.
Even Unix and Windows require the current password to enter the new password.
--rich
Though you need to know your password to change it in Windows (XP), you can change any other user's without knowing the old one.
The few times I have had to use the alternate access for any software, I was asked immediately for a new password before it would permit me to log on, but the software required the old password only for changing the password while already logged on.
I like the questions like "What is your favorite movie" or television show or singer or something that can change on a day to day basis. Yeah, I'll really recall what I entered for that 8 months later.
Web systems typically *don't* require an old password because you can't just call up the sysop and get it reset if you've forgotten it. The secret question is to allow self-service in retrieving/resetting your password.
RE: burden of password complexity. It does seem pretty crazy, though if they allow you to store your credit card in their system you should be happy they make it difficult.
An easy way around the numbers rule is to type your commonly used password in 1337-speak, for example if your password was 'thisisbroken' instead you would be like '7h1515br0k3n'
if they allow you to store your credit card in their system you should be happy they make it difficult.
I think the problem is that it's too difficult for anyone to remember. I've got a pretty secure password that I use, but I stumble across sites that put various, bizarre restrictions on it. (For a while my bank required that my password be 6 characters long. No more, no less. They eventually got a clue, though.)
Someone high-up in the software world ran a piece a while ago arguing that stupid rules like these really don't help, because it just causes people to use bad passwords.
"Though you need to know your password to change it in Windows (XP), you can change any other user's without knowing the old one.
... which in itself is broken."
No it isn't.
Standard users need to know their password if they want to change it (if they're even allowed to change it). *Administrators* can change another user's password without knowing what the password is, which makes perfect sense since Administrators are the ones managing the whole system. How else would a password get reset when a user inevitably forgets it? Besides, if your administrator can't be trusted with that kind of power then you've probably got bigger problems, anyways (though randomly changing users' passwords would likely create the biggest headaches for the administrator themselves).
If you're able to change another user's password then the account you've logged in with must have administrative privileges, and if you typically run your computer that way then that's what's really broken.
*I once was using something that required punctuation in the passwords, not just numbers (like you had to add an ! or something), has anyone else come across this requirement?*
Similar to the college email accout, I had an email address as a temp for a large office supply company that required numbers, letters and symbols- at least 1 of each 7+ characters, I think.
The tech guy resolving a printer problem had the gall to look at me funny when I told my password was something like k1ngm4ker&&. Actually, he had the gall to ask my passowrd and not use his login!
Comments on this entry are closed
Previous: Construction site sign | Main | Next: Fire extinguisher placement
Wow the internet just isn't what it used to be
Posted by: Manny at June 2, 2006 12:13 AM