If there is a field that you require - and I mean, really require, not just something the marketing department want to know - then you need to tell the user to provide it before they click that button.
If there are special restrictions on the data you require, tell the users about it before they provide it. If they're changing their password, tell them what your password policy is before they try. Otherwise, every time they attempt to give you the information you want, they're effectively playing a guessing game with you. Web forms are no place for guessing games. Users have very short patience; they will get frustrated, they will abandon the process.
And please don't be lazy about it, insisting that credit card numbers or telephone numbers must - or must not - have spaces. Why? It's a simple job to write validation routines that will go that extra distance and make it easy for your users?
The Reset Password ProcessAs with so much else on this blog, sharing this advice is prompted by a website I visited in the last couple of days. I had, I will freely admit, forgotten my password, and with suitable chagrin went through the reset process. It was very quick and straightforward. It didn't make me feel stupid. So far so good.
But then I was promptly directed to the Reset Password page, where I typed in my new password (twice, as usual). I was then presented (after a suitable delay for a round-trip to the server) with the following feedback (image below):
At first glance, the feedback is good: it's next to the field that has failed validation. It's in a distinctive colour (although perhaps the red is a little admonishing schoolteacher). Yes, the message is a little awkward, but the thrust of it is pretty obvious. I'd tried to use a password that I'd used before. We've all done this; for low-value websites, many users recycle a set of easily-remembered passwords. It might not be very secure, but that's what happens.
So I thought for a little while and typed in a new password. And I got this:
Again, the message is pretty clear (if not particularly friendly): the password I'd just made up was too short. Where this message fails is that it gives no information about the acceptable length of the password.
Guessing what the minimum length might be (meaning adding another character to the end of the password I'd just used), I tried once more. Same message: still too short. And still no clue to what the requried length might be.
At this stage, I was starting to get frustrated.
I needed one more attempt before the password I had chosen matched the undisclosed, secret policy requirements. That's three attempts. Three bites at the cherry. Three tries to guess the requirements of the password field; that and a lingering bad feeling about the website in question.
So how could they do it better?
Tell Users What You Want From ThemIt's trivially simple to state your password policy before you ask the user for their password. How many characters you're expecting; whether there needs to be a capital letter, a number, a punctuation mark.
Tell the user that they can't use a password they've used previously. That's not giving any security details away; it's just making life easier for the user.
And don't be surprised if users don't read your wonderfully-crafted informative text. If the user supplies a password that's doesn't meet policy, tell them again what your requirements are. Give them concrete, specific feedback. Be gentle. Remind yourself that if the users struggle with your website, it's not their fault; it's yours.
The harder it is for users to guess an undisclosed password policy, the more likely they are to end up choosing a password they won't remember - meaning they have to got through the reset process the next time they visit your website. And the time after that, assuming they ever come back.
Each stumbling block is a barrier for users to cross before you get the chance to interact with them. And users will only jump through so many hoops before they get frustrated and give up.
How can we expect our users to know what we expect of them if we don't tell them? Playing a guessing game with our users - a game the users cannot win - is only going to lose users.