Here is a nice article about lessons learned in designing a website login form. I have my own login abuse sob story to relate to you. Its interesting because what this author is warning against:
The username credential is important to remember. When the user is given a default value, they are likely to just accept it and sail right over the question without thinking—and without committing it to memory.
is exactly what happened to me.
I recently signed up for yet another financial account website. I have too many of these already, but I did it anyway. It's part of my long-term planning strategy of forgetting about sub-$5000 bank accounts in various places; they will be "like found money" when I eventually remember them in my fifties.
So anyway, I signed up. I put in my social security number, and I was told to choose a short pin. I finished the wizard, and it brought me to the login form. It was immediately obvious that I had missed something.
I was never asked to choose a username, like I would have been on any normal website in the free world. Instead, I was (apparently) issued a customer number. A NUMBER. Humans can't remember numbers after a few digits, so I'm definitely going to need to write this down somewhere. Just as soon as I figure out what it is.
Unfortunately, I can't hit the back button to do this, because the registration wizard was in a popup. I already closed it. I checked my email, and there was an email from the website. It said this:
Dear Customer XXXXXX12345,
Very inviting. Thank you.
Here's what I don't understand:
why bother making me choose a PIN at all? If I'm going to be issued an arbitrary number, there is no need for my input. Just make the number longer and have one of them. You will annoy me, but at least you will make sense.
If I had no stake in the issue, I would have left the website at this point, never to return. But unfortunately, in step two of the wizard I had told them how much of my money to take from my checking account. It was kind of a lot. So I capitulated and called their support line.
Artificial voice: Hello! Did you know you don't need to wait to talk to us to get help? Press 1 for instructions.
[I press 1]
Artificial voice: Please enter your customer number.
[I sit there silently for 30 seconds]
Artificial voice: Are you still there? Please enter your customer number.
Then I frantically pressed zero until I was talking to a person. A minute later, customer number in hand, I went back to the company's website. I typed everything in, and it promptly refreshed the same login screen.
Did you catch it? The number of digits of my Social Security number the form was asking for changed! It wanted the first three digits before, and now it wants the last four. This is going to trip me up at least once every time I log into this site.
This is not design for usability. This is not even design for security, because I had to write all of my information down. This is design for minimum liability. This is design to make sure not even a criminal can log into my account.