User and Social Experience Design
An analysis of the responses to the survey I conducted earlier this week on websites that "remember" users with some interesting perspectives provided on personal information security.
I set up a survey on the weekend to find out more information about people’s perceptions about websites that do or don’t keep them logged in and remember their credentials. As someone pointed out, websites don’t actually keep those details – the authentication is stored locally on a cookie – however for the sake of consistency with popular understanding of the feature I worded the survey according to the former interpretation.
During the few days the survey was online I collected 57 responses and I’d like to share some of the insights from the results. Not everyone who participated answered every question in the survey.
Demographics
Of the 57 respondents, 49 provided their computer usage competency level. 70% (34) described themselves as geeks, 26% (13) as competent and 4% (2) as average. I was hoping for a higher representation of non-geeks but this wasn’t a full-blown research project so I only promoted the survey through Twitter, Facebook and my blog.
Responses
In response to the question “Do you usually ask websites to remember you?” 20% (11) reported they never or rarely ask websites to remember them. The other 80% (46) said they usually do ask websites to remember them.
In response to “How do you decide whether to ask a website to remember you or not?” 70% (42) said they use the feature because of the convenience of not having to log in every time. 28% (17) where influenced by the privacy of their information and 2% (1) said they did not understand the “remember me” feature.
The qualitative responses to the question “What else do you consider when deciding whether to ask a website to remember you or not?” included the personal value of the information in an authenticated account. For example one person didn’t care about the security of their Evernote account as they didn’t really mind if other people saw it. Financial and banking sites were cited as being an important factor – although of course many such sites don’t ask to remember your password. Also the usage frequency of the site … if people use a site regularly then they’re more likely to ask the site to remember them.
The security of the computer itself was an important factor. Several people would never use the feature on a public computer, and many wouldn’t even ask their work computer to remember their login.
People seemed to have a high level of confidence in the security of the home personal computer, although one person did admit that in light of news coverage of a burglar who access someone’s home PC during a break and enter that they might rethink that.
Trust played an important part with a site’s reputation either being earned through continued use ranging through to word-of-mouth recommendations of a site’s security and privacy. One person did say that if a site had a privacy policy that would influence their decision even though they probably wouldn’t actually read the policy.
Some sites such as Tumblr don’t even ask you if you want them to remember your password – they just do it by default. I asked “Would you prefer if websites remembered your password without even asking you?” to which 88% (43) people said they want the choice, while the other 12% (6) said that they would like that.
Inspired by recently reading Persuasive Technology by BJ Fogg I posed the question “What do you think of websites that never remember your password?“. 35% (17) said they thought such websites were forgetful and badly designed. 14% (7) said that they perceived such sites as being more secure, while the remaining respondents to the question offered the following opinions:
- Some websites (like banks) should not remember passwords
- It’s annoying
- They can encourage lower security
- I use my PC to remember my passwords
- They are painful
- Bad design
- They want to be more secure and browser can handle remembering passwords anyway – then they can be encrypted if I wish
- It’s a pain in the arse
- Why have a password if you’re just remembering it for me?
- They are either secure, or badly designed. Depends on the content of the site.
I also provided a field at the end for people to add any further comments. Some made observations about particular sites’ privacy policies and mechanisms such as Facebook which appears complex and unpredictable (and thus untrustworthy). Sites that store credit card or payment information should never remember your login. One person vented their frustration that Safari would not remember their password for Facebook and possibly also Twitter – although they understood it was a web browser issue and not a defect with those sites.
The tab order for username/email, password, “remember me” checkbox and the login button was picked up by someone. That’s something that often frustrates me too – the lack of logical tabbing order with login forms. I often accidentally end up activating the “forgot my password” link!
Lack of SSL encryption for authentication was raised as someone’s pet peeve, and another respondent thought that browsers offering to remember passwords was even less secure than using cookies – however someone else loved the featured as it was quite convenient.
Password strength, remembering passwords, restrictions on choice of passwords and progressive hacking techniques were also mentioned as were some people’s thoughts on the quality of my survey questions. Point taken, thanks for the feedback.
Conclusion
While hardly conclusive evidence, I believe enough opinion and feedback was collected to show that most websites should provide an option to remember your password and keep you logged in. Perhaps it could be checked by default, but the option must be provided to not remember your login. Sensitive sites that store payment information should always require you to log in or at least when you’re accessing parts of the site where you can manage or use that payment information.
I don’t get why LinkedIn makes me reauthenticate so often even when I’m logged in, for example when I want to update my status – although they may have changed that recently.
One person did also suggest that websites should provide more information on what the feature means, especially as they’re all labelled differently. Some sites use the prompt “remember me”, others “keep me signed in” etc. While us geeks know they’re all the same – they just write a cookie – it’s not so obvious to some people and for those who care about the security of their personal information websites should be more proactive in telling them what the feature actually does and provide advice on whether they should use it. One site I’ve seen (I thought it was Hotmail, perhaps a previous version) put the question another way by asking if the user was on a public shared computer.
I hope this information is of some use. If you have any further thoughts please feel free to add them here or over on the UX Exchange thread where this started.
// purecaffeine.com is a user interaction and UX design, social media and Government 2.0 blog run by professional Canberra, Australia web user interaction designer Nathanael Boehm, licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 Australia License.
{ 4 comments… read them below or add one }
Hi Nat,
Interesting research. I wish I had seen it to participate.
Another factor to consider is the actions the user is taking – as you mentioned briefly regarding LinkedIn.
While I may want a website to remember me for my preferences when I visit, if I am changing my account information – or even deleting my account – I would like a site to reauthenticate me.
I think there is a definite case for action-based authentication prompting rather than simply website-based as the risks of various actions varies. The ultimate would be allowing people to decide when they wish to be prompted to authenticate by action – however I would only expect a few people to customize these settings.
In future research it would also be interesting to look at cross-website authentication, such as via OpenID or the myriad of sites that prompt log-in via Twitter or Facebook (and may post things to your timeline).
I wonder how worried people are about these services gaining acccess to passwords – and potentially keeping or even selling them.
Cheers
Craig
Interesting point … no one mentioned anything about sites possibly disclosing passwords; perhaps there hasn’t been enough instances of people’s passwords getting out in the open and being used to access other accounts and so on. No doubt people are complacent.
Hi Nat,
Great write up. It was interesting to see what other’s responses to the questions were.
I just wanted to mention that I think having the ‘remember me’ checked by default would be a bad idea. If it is off by default and you want to be remembered, you only have to remember to check it once. But if it is on by default then you would have to uncheck it every time you logged in.
I also think that password theft was not mentioned because it is usually not the websites themselves that are involved and instead are ‘hackers’ just compromising accounts via dictionary or brute force attacks. If word got out that a website was storing plain text passwords, let alone letting them get out into the wild, that website would quickly become a wasteland. Not something website operators are aiming for in this day and age when everyone is trying to be the next big thing.
/2c
J
The odd thing about this is that people mentioned browsers remembering their passwords for them, and they also mentioned that security was a reason to not use “Remember Me” functionality on sites. However, these two are actually the exact same thing – the information gets stored on the local computer regardless of where the remember function is implemented – browser or site. Was there any correlation between the two responses – were there people that feared for security that also used browser functionality to remember their passwords?