GEEKERY  
ADVENTURE  
CONTEMPLATION  

20090908

accounts - what's the point?

I was traveling by plane this weekend, spending 13+ hours in those delightful vehicles. We (boy and self) had picked AirTran and the ghastly SF to Altanta to Boston route in order to save on money. Such is life.

The planes, we discovered, had Gogo inflight wireless, which despite having a terribly nondescriptive name, was interesting. For an entire flight, the cost was just under $6, which would be great for really long flights, but since we were taking smaller hops, it didn't make sense. And I never like paying for wireless anyway, so I didn't want to buy it on principle.

Curious, I tried to access the internet, and was met with a Gogo screen, with login, prices, etc. Pretty standard. Bored, and with a lot of free time on my hands, I attempted to log in as someone else. Login name: jsmith. Password: password. (When I worked IT, I'd say 1/3 the people used "password" as their password...sad and scary, but that was also 4 years ago). Expectedly, the login failed. So I clicked the "Forgot your password?" link. Given the situation, they couldn't email the new password, so I was hopeful.

I was met with a question, "What was the name of your first pet?" Fluffy, Spot, Fido, Rover, Jimmy, Sally, Bob. No dice. I start again with Login name "jdoe," and I was met with an even harder question, "what was the name of your first school?" Way too many permutations on that one. Then Naychay had the bright idea to check to see if the system gives you questions even for bogus logins. He tried "etuiyiqwt5xxx," or something to that effect, and it doesn't register, which is good news for us.

This time I tried ksmith. The question: "What city were you born in?" Luck at last. People tend to say large cities instead of suburbs, so I began to guess. Atlanta, Boston, San Francisco, Los Angeles, New York, Chicago. The last one gives us a reset password menu. And we're in business. Setting the password to password (whaddyaknow?), I explored around. By the way, I'm sorry ksmith, but you'll see below why you shouldn't be too worried or offended.

I had no intention of using the account if there were, say, credit card numbers linked to it, I just wanted to crack the system to see if I could. But there were no real account settings at all. Other than the user name and password, it appeared that Gogo didn't stash anything else. You had to re-enter credit card info every time you used the system, and there was no place to edit or view settings. My conclusion: there was no motivation for users to create an account. Perhaps Gogo used the info to track use, but it would just be an annoyance to users to need to log in. And if anyone tries to make an argument that it makes Gogo more secure, I can't wait to hear you opinions on using a sheet of paper as shield against a bullet.

I've seen so many websites or systems that require users to set up a login, and then don't offer any additional convenience to users when logging into the system...at least other than not needing to create an account each time, which many of them probably end up doing anyway. I think Amazon and many others got it right when they allow you to check out as a guest. And offer the convenience upon logging in of remembering credit card and shipping info.

The point of all this is the following: don't require users to set up a username and password if you don't intend to save info between sessions. Maybe Gogo is still developing and will allow users to do that in the future, but wait until those features are there to implement the requirement to log in.

3 comments:

Lucas Sanders said...

I don't think Amazon actually lets you buy stuff without an account... or am I missing something? (I probably wouldn't bother to have an account with them if it weren't required!)

ajb said...

Okay fine, maybe Amazon wasn't the right example. But there *are* places that let you sign out as a guest.

Lucas Sanders said...

Oh, certainly there are companies doing it the right way — yes, I agree with the argument you're making here. I was actually hoping you were right about Amazon, seeing as I hadn't actually ordered anything from them super-recently. *sigh*

One good example: I wouldn't have bothered to post a comment at all if Blogger made me log in to do so. And that, even though I already have multiple Google accounts. Otherwise, you would've had about a 20% chance of hearing from me, and that would have been by e-mail instead.

One further point: if you're not handling sensitive information, just accept OpenID and forget the account nonsense. People have too many passwords already — hence the choosing of stupid ones like "password"!