Your website should stop doing this right now (pt. 1)

The horrors you are putting your users through

Goran Peuc


Design is already playing a great role in creating digital products, and by design I do not mean hey, this button looks cool and shiny, I mean how stuff works. Of course, pretty websites and apps are better for the end user (thus for the owner), but from what is obvious if you spend some time on the magical internet there are horrible practices still being implemented all over the place.

Someone didn’t get the memo that design is not only about shiny pixels.

The biggest offenders are:

1. Asking people to correctly enter credit card number.

This one makes me insane as soon as I see it. Various web shops, payment gateways, and basically anyone dealing with credit card information will routinely ask the user to enter credit card information in a way that suits the logic of the web site. Yes, you got that right, developers of the site force the user to understand how the backend logic of the website works.

My favorite is PayPal’s message:

Remember to enter your card number without any additional spaces, dashes or other symbols.

Or what, mister clever programer who implemented this? You will not validate credit card if I space the numbers with some character? Because it is so hard to perform a simple check of the whole string that I entered, remove all the unwanted characters and just use numbers? That is the level of programming knowledge you learn in Kindergarten these days.

Stop asking people to correctly enter credit card number. Take whatever they wrote, remove all unwanted characters, and use the number you are left with.

While we are at credit cards, stop asking people to first select card type. I know it looks like I am picking at PayPal, but here is the screenshot of their Add Credit Card process start:

How about no?

Yeah, how about I do not do that first? Credit card type can easily be figured out as soon as you start typing the credit card number. Visa cards start with 4, MasterCard starts with 51 through 55, etc.

Stop forcing the user to do your work.

2. Asking people to create complex passwords.

I can see half of you (especially the programmers) rolling your eyes now.

Pffff, but complicated passwords are safe, are you stupid? You must be a designer or some other lower form of life…

No they are not, shut up. It is the length of the password that makes safe password, not complexity.

Complex password is the one where silly developers ask the user to enter something like one upper case letter, one number, and sometimes even one special character. In their minds, this for example is a secure password:


It has a number, two special characters (minus and exclamation mark), and one upper case letter. Let’s do basic math now.

In each slot we can put 52 letters (upper + lower case), 10 numbers, and about 12 commonly used special characters. That is 74 different options for each slot. Hell, let’s round that up to 80.

By forcing the user to enter a minimum of 7 characters, this gives us a minimum of (80ˆ7):

20 . 971 . 520 . 000 . 000

password variants.

Now, let’s see what “insecure” password would give us. Say we allow only upper and lower case letters but we increase minimum by one, to eight characters. In each slot we can put 52 characters, this would give us (52ˆ8):

53 . 459 . 728 . 531 . 456

See? 53 trillion versus 21 trillion. A password which is easy to remember because user does not have to fiddle with pesky characters is actually safer and harder to brute-force hack.

This by comparison is safer & harder to penetrate:


Furthermore, enforcing complex passwords will make them extra unsafe because users tend to write such passwords down. Let’s be honest, every ordinary user has a set of passwords (Ha! I said set! More like one…) that they use constantly. Yes, that is not safe. Yes, that is even a bit stupid. But yes, that is how people use the internet. As long as we have password as a locking mechanism, that is how it is going to be. When you force the user to enter a password which is completely out of their comfort zone — it will be written down. So by making your website “safe” (and math shows us even that is not true), you make it double unsafe. Stop that.

Oh, you have a clever idea to force users entering long and complex password? Good luck with that.

Besides, the main way some malicious person will get to the passwords will not be by brute forcing or doing some hacker-movie-style-Matrix-code thing. It will be either through Social Engineering (where dumb users basically just give away their password) or by acquiring entire website’s database, including passwords and email addresses. Do the back-end implementation of security good, and do not pester the users with complex passwords.


After a storm of comments regarding how wrong I am about “yourmomah” and how this is all nonsense, allow me to retort.

First, it seems that only a few got the joke about yourmomah being hard to penetrate. I guess my jokes are too subtle, I should use something more obvious next time.

But secondly, more importantly, here is a comment from one of the enthusiastic security people. Not that there is anything wrong with being enthusiastic about security.

From the notes.

And exactly there lies the problem. Developers taking security too far stating that password should be something you cannot remember. Do you understand how messed up is that? Making a website that follows that rule would make it impossible for the 99,99% of the internet population to even register, let alone come back to that website.

There is about 200 people on the whole internet who can never forget X0!pS92MFs;… type of password and generate dozen of those. That is not how people use the internet!

Folks, regular people, like your parents, and complete computer illiterates use the internet daily. They actualy make the bulk of it. Let’s make their everyday use of the internet simpler and frictionless, and at the same time deal with security on our side — the developer side. Like preventing entire databases to be stolen.

Furthermore, this does not say that we should stop enthusiastic people from using insane complicated passwords. By all means, type a 40 character random string if you are so paranoid, it is up to you! But let the old grandpa purchasing Christmas present for the first time on some online shop use “ilovemygrandson” as a password. Why make it complicated for him and deny him with errors Wrong password, you need one capital letter, and then Wrong password, you need one number, and then Wrong password, you need one special character,…

The frustration of using the internet comes from small pieces, it is a death by a thousand cuts. Account generation and with it password generation is the first of those cuts. Stop pestering the user!

Request: could someone actually run a Dictionary attack on “yourmomah” and post results? How long does it take?

3. Asking people for “Username”.

The registration form on majority of the websites still asks for the dreaded Username, and then asks you that Username (plus password) when you log in. At the same time, those same websites ask for email as well, because they will use email most likely to activate the account.

The process is usually like this:

  1. Create account by entering Username, Email, Password, Repeat Password for safety.
  2. Email is sent to the entered email address.
  3. User clicks a link that was sent to that email address’ inbox, and that activates the account.
  4. User logs in into the website.

But hold on mister, why not just use email address as identifier? Why use Username? Exactly! Email address is the only identifier any website needs to distinguish individual users and to serve as a log in mechanism pair. Username creates an additional complication during account creation process as users have to figure out yet another thing, and of course most usernames are already taken. You thought Neo, or Z3roCool are available? Guess again.

By using email address as an identifier the process of registration shortens dramatically because users know their primary address by heart, and the uniqueness of the identifier is offloaded to the email providers (Gmail, Yahoo, private domains…). They are the ones making sure there are no two same email addresses on their domain.

But my website needs Username as we display it next to comments or similar user-generated content!

Then ask the user to enter nickname at the moment that user engages into active contribution. The classic breakdown of user interaction is 1-9-90, meaning 1% of users frequently generates content and interacts with site, 9% occasionally do so, and 90% just lurk and never contribute. Twitter, the most popular fire’n’forget user generated website has 40% of users which just read Tweets and never write.

Stop asking people for Username at the point of registration.

4. Redirect people to the mobile version of home page of your website when they click deep link.


This is the most common I-have-a-mobile-website mistake. People share a link to an interesting article on Facebook or Twitter, you see it on your phone and tap the link, and you end up on the home page of the mobile version of that site. For a second you go “Wait, what, where is the article I clicked on?” then you go back to Facebook/Twitter, and tap the link again. Again you land on the home page of the mobile version, again.

And then you give up.

What usually happens is that a friend of yours shares a link using desktop version of the website, something like and then you see that post using mobile app. Tapping on the link, you are taken to the website, website figures out you are on mobile phone, and then for some absolutely stupid reason throws you to the removing the deep link which would take you to that article.

The stupid reason can be:

  1. Mobile version does not follow the same URL structure as “regular” version, so does not actually give you anything meaningful.
  2. In the process of detection and redirection server forgets the rest of the URL. Because programmatically remembering things on the internet is apparently tough.
  3. Someone made a retarded decision and just said “Hey, let’s throw the user to the mobile home page, they will like that”. No they won’t.

No. Stop that. A user clicking a link to a deep content of your web site should always, imagine this … get to see that content! How to do that is irrelevant — creating responsive website, making mobile and standard versions have same URL structure, using magic and fairy dust — as long as the result is people actually seeing the article they clicked on.

Let’s make the internet less frustrating. Please.
Unicorns & rainbows.




Goran Peuc

Director of UX design at SAP Dublin, Ireland. @gpeuc