Zach’s ugly mug (his face)

Zach Leatherman

Registration Forms Suck, Let’s Mitigate Suckiness

10 Jan 2009 Read in about 4 minutes

Signup Form

A lot of people complain about registration forms. Some people have suggested getting rid of them altogether, allowing users to utilize login credentials from accounts they already have through OpenID. But even with a highly technical audience, OpenID adoption is problematic.

So, some sites have gone two ways, allowing OpenID, but also a proprietary registration system. This too, is problematic. It would seem that given a choice, the John Doe the Plumber style user will choose a proprietary account over the confusing user experience presented to them through OpenID.

But the annoyance doesn’t just lie with account registration for web applications. Typing your personal information on every blog you comment at is also repetitive and unnecessary. Some sites even require account registration for something so minor and transient as a blog comment.

Unfortunately, for the time being, it looks like registration forms are here to stay. So, what can we do to make those registration forms more usable, more efficient, and ultimately downright friendly? I know that you’re ahead of me on this one: Let’s auto-complete information for the user.

Please keep in mind that this power can be used for both good and evil. Essentially what we’re discussing here is data mining available information from various social networking sites on the internet, trying to glean personal information about an end user that has volunteered a piece of their data already. What can we get from what we already have?

Once a user has typed in their e-mail address, we can:

If you know any of their social networking usernames, you can:

Those are only some of the proof of concept API’s that I’ve listed here. The interesting piece of this, is that once you have a small piece of information, it opens up the door to other searches.

One can only imagine how many leaves are in this tree. For example:

  • Facebook’s Users.getInfo (in JavaScript)

  • Yahoo’s Social Tools, get an end user’s GUID and go to town on their profile.

    • Google Contacts, I didn’t even start to look through their API’s. Before you start jumping the privacy fence to a self induced heart attack, remember that all this information has been volunteered by each individual participating in each of these services. Remember, with great power comes great responsibility.

    What do you think? Scary or useful?


➡ Load Disqus to Leave a Comment ⬅

This is actually something we have talked about a lot at my work.
We are going to try and make it easier for users to create an account by providing a account name, or a Hyves account name (Dutch community website), and hopefully in the future Facebook account names and whatnot.

I believe the barrier can be greatly reduced by offering users the possibility of logging in with existing username/password combinations, so it's our goal to support as many relevant socal media sites as possible.

Zach Leatherman

11 Jan 2009 at 03:33PM

Ah, I didn't check

It seems like there might be some interest in creating a plugin that will attempt to search out all of these data sources for more information about a user.

But one thing you should watch out for is the Password Anti-Pattern.

It is pretty amazing what you can gather from different sources. Would be interesting to write a wrapper API that tries all these (and other) sources and gets the data as one bunch.

Zach, the next time I hear the term "Password Anti Pattern" I will scream. Joe end user has no clue about security as we come up with clever terms like these that don't mean anything to people outside the echo chamber. And in this case it is not at all what we are talking about. The problem with logins and passwords is that people don't get the idea that giving both to another party is a bad idea. That is not a Anti Pattern, that is just stupid, and it is time we tell the world in layman's terms. ;)

Zach Leatherman

14 Jan 2009 at 01:12AM

Well, it certainly isn't Joe end user that's developing applications that implement the (wait for it) "Password Anti Pattern."

I definitely understand your negativity towards the approach though, and am definitely very protective of my e-mail account credentials. Twitter, on the other hand, not so much.