Access Names and Passwords
Sign-In, Sign-On, Login or Logon? After a lot of discussion we settled on Sign-In and Sign-Out as our preferred terms for these actions. Log-In seemed more technical; Sign-In seemed more inviting and community oriented.
Register is the term we prefer when first asking for a visitor’s details.
Access Name is the title we use of the data item that identifies the user. We prefer to allow the user to enter whatever they want – then they are most likely to remember it. Mouse-over help should say this and that it can be of any length and that it is case sensitive.
You will have to refuse Duplicates. If a new entry is a duplicate, say so and offer Forgotten Password. Allow the user to enter a new Access Name – do not force digits on the end – your user will not remember them.
We do not recommend using email addresses as access names because this takes the choice away from the user and also leads to more clumsy ways of handling Forgotten Passwords and where the user no longer has access to that address following, say, change of employer.
Passwords should be allowed to be whatever the user wants. They should be entered twice on the first time and checked that the two entries are identical.
Passwords should be stored one-way encrypted. The user should be clearly told that their password is secure and cannot be used by the site owner or by anyone else or be given back to them. Mouse-over help should stress that passwords should be greater than 8 characters in length and should contain a mixture of upper and lower case, digits and special characters. In a confirmation email never send the password back – it will remain visible in email and in Outlook or Exchange and be available to administrators. People often use the same password on multiple sites so even though there is a low security risk on your site scammers may try the password on other sites.
Forgotten Password should be offered on every failure to sign-on successfully. It should result in an email giving a new password which is a random string of 8 characters. Text in the email should suggest that the user go to (or be linked to) a registration page where they can enter a new password (twice).
Some sites have Remember or Remember on this machine with a check box next to the Password control. We recommend that passwords are never stored on a PC or laptop. Anyone would need only to have access to the machine while the owner is logged on for thirty seconds to find the password. Remenber your passwords – have at least 2 – one for high security sites like your bank and one for other web sites. And change them from time to time.SSL is an encryption technique that protects the email while it is moving through telephone wires and routers. It requires a Certificate. Use it if you have the certificate. Equipment can be readily purchased from electronic shops which can “read” digital traffic from telephone wires from some distance. Most users believe that SSL encrypts the data when it is stored – this is a complete misunderstanding!
Cookies are small text files held on your machine with a file name the same as a site that you have visited. A server can identify you though the cookie which will normally simply hold a unique identifier for you.
Because you are remembered the server can send you pages which are tailored to your previous usages of this site. We recommend that you enable Cookies in your browser.
We recommend that you disable Applets and ActiveX controls in your browser – they are the most common way for malware to enter your machine.
On a user first registering on the site send a confirmation email showing their AccessName and asking them to remember it; not showing their password but pointing out it is one-way encrypted and so cannot be given back to them or be made available to anyone else.
Also include an Opt-In link saying that if they did not register but someone else did using their email they can Opt-Out by simply doing nothing in reply to the email or confirm their registration by replying to the Opt-In link. This is known as Double Opt-In. All subsequent emails should have an Opt-Out.