Another example of not telling the user what you want from them, this time from O2, a mobile phone network in the UK.
This week, I needed to visit the secure area of the O2 website, and - of course - because it had been so long since I had last visited, I had forgotten my password. Time to use their password reset process.
So I went through the motions, and - dutifully reading the "Important" text to the side of the new password fields - I entered my new password.
I've recently started using a random password generator, and I faithfully put in the minimum requirements stated on the O2 website. The instructions on this page are pretty clear: the minimum and maximum length of the password are stated, and the statement about mixing letters and numbers indicated that I could use both. I was a little sure what they meant by "other characters" so I added a basic set of punctuation characters to my generation algorithm.
...and fell at that hurdle - see screenshot below.
Despite all the excellent direction in the blue box, there is still some mystery about what "other characters" are permitted. Only by experimenting was I able to get to a password that was acceptable to O2's secret, inscrutable requirements.
Each time I failed, a slap from the website, an invitation to abandon the process and go elsewhere. It's a good job I really needed to get into the secure website. And collect case studies of interaction design for this blog.
Because this is the problem with keeping your website's password criteria secret: user frustration. What percentage of users try again after the first failure? What percentage leave after the second?