LarryRoth.net

I am very pro usability—anyone who knows me will agree. I fight the fights that need to be fought. I go against the corporate decisions that don’t benefit the user. I evangelize for Donald Norman and hang on  every word that Jakob Nielsen speaks. This is why it seems so very strange that I would be incited by an innocuously titled article, Stop Password Masking, on useit.com.

Dr. Nielsen contends that we—Web developers—should abandon legacy design and stop providing “little dots” instead of the actual characters that a person is typing in for their password. On the surface, this seems to make sense. After all, it’s hard to type in that which you can not see.

I guess I should be upfront and say this is many years as a sys-admin speaking–not a usability expert—but none-the-less I found many things flawed with the post. I would add that the designers of systems have a responsibility to protect users from compromising their account.

But the main point of the article is that by not showing users what they are typing when the type a password, we are decreasing the usability of the page and also the security of the page.

Here is a brief recap of the main points of the article (please read the whole article for yourself):

1. There are very few times when a user is in actual danger of someone “seeing” what they are typing
2. Users make more errors when they can’t see what they are typing
3. More errors means less confidence
4. All this leads to users using simple passwords or copy/pasting passwords

One of his primary points is that a “skilled criminal” can capture you password by looking at the keyboard, not the screen. It’s hard for me to argue with this as I have witnessed this and even done it.

Here’s the rub…I have managed users on systems large and small for the better part of 20 years. I have learned by observation that people don’t have simple passwords because passwords are hard to type in without seeing, they have simple passwords because they are easy to remember.

As a system administrator I know, inherently, that the weakest chain in any system is the user. And it’s not because it’s hard for them to type their password, it’s because they want one password that is easy to remember and is somehow tied in with who they are as an individual.

For this reason, I find passphrases to be a better solution because they are easy to remember and are instantly harder to hack due to their length. If someone has a hint of what you like, they may more easily crack the passphrase with shoulder surfing, but it’s much harder than a simple password.

Lastly, Dr.  Nielsen points out that we should abandon legacy design—I am a HUGE fan of abandoning legacy design when it makes sense. Dr. Nielsen points to both form reset buttons and password masking as being legacy design…as the twitteratie say, EPIC FAIL!

Let’s focus on usability, but only when usability is really the problem. But maybe you disagree with me, leave me a comment.

Skittles unveiled their new corporate site to much applause and some disdain by the Twitter community. Taking a cue perhaps, from agency.com, they have reduced their site to be nothing but a navigational overlay box on top of content provided by social network sites.

screen grab: skittles.com homepage on March 2, 2009

This works by making their:

• home page a Twitter search feed
• product pages, Wikipedia pages
• media pages both Flickr and YouTube feeds
• friends page a FaceBook page

Simple is best right? Maybe not.

So what is the upside for Sktittles? Well today, at least, they have generated plenty of free publicity. Going forward, they will have a lot of fresh content and perhaps some ongoing publicity.

But how about the downside? There are plenty of thoughts that pop into my head.

Perception

How will they be perceived by the social networking community or the social network sites themselves? Within several hours of launching their Flickr page was account “missing” and a “neutrality” warning was posted at the top of their Wikipedia article.

screen grab: the article notice that appears at the top of Wikipedia's Skittles page.

Skittles is “borrowing” a lot of bandwidth from these sites, for free, and what are they providing in return? Users of social network sites provide content, sometimes very interesting content, and that, along with increasing per-page impressions is the fee they pay for using a free service. What is Skittles giving back to the community?

“Social-ness”

The biggest part of being a part of “the social”, and the part that companies often don’t get, is that it’s about 2-way communication. Kudos (excuse the pun), to Skittles for allowing their customers to have an unfiltered voice, but where are they in the conversation? We want to hear Skittles interact with their customers, not just hear ourselves talk about them.

Alienation

What is the experience for many of Skittle’s potential customers? For instance, you now have to be 13 years old to view the site. And even if excluding kids from a candy store makes sense, what about the folks that are Web savvy, but not social network savvy. Perhaps this site will be a little weird to them. Which leads me to the biggest issue, usability.

Usability

Is the site usable? We all know that when considering usability, we must first consider our audience. Some would even go as far as saying that we can limit to a specific target audience, not just any possible site visitor. If we suppose what a target audience for Skittles might be, and even if that audience is entirely composed of social network aware individuals, would they find the site useable?

Well, next we would need to know the tasks the audience might engage in. Let’s also suppose it’s the following:

• find nutritional information – OK, it’s available via Wikipedia, but can I be sure it hasn’t been altered? I also need to do quite a bit of searching (e.g. reading and scrolling) to find it.
• find contact information – perhaps the easiest thing to do on the site and bonus points for not hiding the phone number
• search for information – not available at all. This is a complete failure for many web users who wish to visit a site and immediately search for the piece of information that they need.

So, in 3 tasks that I picked, the site only covers one well. But in addition, I see some other major usability hurdles:

• Poor feedback as to where you are in the site. While this is important in any site, it is very important in a site such as this where the context of the page you navigate to may differ greatly from where you came. e.g. will the user know that WikiPedia is the product page?
• Navigational overlay gets in the way. On many pages the navigation box seems to be on top of the content and it’s not readily apparent how you shrink it.
• Random pop-up explaining how to “drop the box in the corner”. If you have to explain to your audience how to use your site, or worse, how to navigate away from it, you have failed at usability.

screen grab: skittles.com pop-up explaining how to navigate away from their site.

Lastly, while not a usability issue, it is odd that a promotional site would ask you to accept their terms and conditions before they tell you about their product. Given the nature of the content that may appear, I certainly understand the reason, but it seems like a big hoop for someone to jump through just to view your site.

To sum it up, I would say the new Skittles.com makes a great meme and a is perhaps a bit of Internet history, but to me, the site doesn’t make sense. While I think that companies should be involved in social networking, it’s very important how they approach it.

I can’t wait to see what my colleagues at BrandLogic think about the impact this site has on the Skittles brand. And I would love to hear what you think. Please leave me your comments.

The kind folks at 80 works for designers take us behind the scenes to a class that is creating a prototype interface for deaf people to feel music.  It’s a wonderful read just to review the processes that the class uses to work through the problem domain. But more so, it is a great reminder that usability should include accessibility. Thoughts?

Closed Loop Marketing posts a very well thought out article regarding the page a Web site presents when a user logs out.

Sandra Niehaus writes:

Let’s put ourselves in the shoes of a site visitor for a moment. … Now she’s done using the site, and logs out.

And sees, however briefly, the logout thank you page. Here is a transition state, a zone where the visitor’s attention is not yet focused on a new task. Here’s your opportunity. What will you say?

In addition to a critic of some excellent examples, Ms. Niehaus also creates a nice table of optimization guidelines. Definitely a good read.
I am also interested in reading the book she references:

In his post entitled: Yes, Twitter is still dangerous (http://blogs.zdnet.com/projectfailures/?p=1703&tag=nl.e539 , viewed 2/17/2009), Michael Krigsman contends that Twitter poses a security risk to businesses and governments. The example Mr. Krigsman uses is of Congressman Hoekstra real-time twittering his travels within Iraq. This, of course, does much to undermine the secrecy of the convoy. 

Is this an issue with Twitter? Could the same not be said about any other real-time/near real-time communications platform (e.g. e-mail, IM, cell phones, blogs, etc…)? Couldn’t the Congressman just as inadvertently mentioned his travel plans to a television or print reporter? Or just plain sent a postcard?

We can’t ignore the speed and reach with which the Internet can spread a message, and also we can’t ignore the intractability of that message. Mr. Krigsman writes:

I’m personally aware of confidential meetings where participants innocently twittered sensitive information that thousands of recipients may have read. 

Have you ever Reply-all’ed to an e-mail instead of just Reply? It’s just so easy to do irreparable damage.

Still, our communications paradigms continue to shift, and we with them. It is not over generalizing to say all forms of communication can create a security risk. So, yes Mr. Krigsman is correct in saying that Twitter is a security risk. But it has always been about whether the benefits outweigh the risks. Which brings me back to Twitter, government and business. 

Yes, secrets can leave their protected environment and travel around the world, and yes, sometimes that is very, very bad. But, conversely, you can also engage in a meaningful dialog with your constituents/customers. If we focus just on government for a moment, the potential is very exciting.

Government 2.0 promises to bring the two essential things that any democracy needs: transparency and two-way dialogue. For the record, transparency does not mean that we post our missile codes or troop movements on MySpace (that is soooo 2 years ago). It means we have more insight into the legislation that affect our future, and more importantly that we have a efficient way to discuss them with our elected officials.

It is important that elected officials such as Representative Hoekstra continue to use communication platforms like Twitter, to keep in touch—and of course equally important, that they are properly trained on how to safely and efficiently use them. They should also take the time to see the other side of the conversation, and perhaps they find it equally valuable. 

Businesses are slowly beginning to see the value in listenting to all the (free) feedback their customers are providing. Likewise, they are also starting to join in on the conversation. While everything may not always be as controllable as corporations would prefer, being a part of the conversation ensures your point of view is heard.

I think platforms like Twitter are a great benefit for government and business, and I for one would like to say to both: “Welcome!  We created you and we know you will make mistakes, but that’s OK, we are here to help”.

Perhaps one of the most crucial parts of UI design is the feedback you provide to users. Like all the information you display, you need to prioritize and provide the proper context for your users. Or said another way: it’s important that you make sure what you think is important is also important to your users. Why the emphasis on important? Well, I found a great example in Web Position Pro (version 3) that helps to prove my point.

First off, Web Position is a fantastic software application that helps you to track your search engine ranking. This post, by no means, is meant to slam this product. However, I did find one Important Notification in the product challenging to the user.

Upon startup—and after a fresh, fully-licensed install I might add—I was greeted with the following error message.

Error message from Web Position Gold 3

What’s the issue? Well, first of all, the user is presented with a modal window and is being told that a service they never signed up for has expired 4.24 YEARS ago. More pressing, is the use of the word Important. To whom is this message important. Certainly not someone that has let their service expire over 4 years ago! Perhaps it is important to the sales department at WebTrends, but not to the user of the software. It would have been better to present the message in the proper context. One suggestion might be an on-screen prompt, not a modal window, and language that is more honest: “We can help you: sign-up for page critic today!”

Lesson to learn: Save UI conventions such as modal windows and strong language such as important for messages that are important to the user, not just you.

There is a great post on Web Design Tuts discussing How to Design The Perfect Form. The author does a great job of showing many different examples, but in particular, he breaks down form design as:

• Less is more
• Context & Assistance
• Distractions
• Modals

It’s a great read and well worth exploring.

The folks at A List Apart have provided an excellent “howto” guide for JavaScript debugging. Not only is this article provide some very practical real world experiences, but it talks about debugging javascript across 4 different browsers (IE8, FireFox, Safari, and Opera) instead of just focusing on FireFox. It’s a good start to debugging in general, and the only point I would add to the article is that you can use the debugger to learn about JavaScript by examining existing sites.

Sitting with my Sunday tea, I came across this:

Of there is the usual Adams’ dry humor. But it points out the elephant in the room that isn’t often spoken about. What happens if companies choose to start gaming the system when it comes to social networks?

Quick definition: gaming the system refers to someone who exploits weaknesses in a set of rules to further their own needs. An example would be someone who creates lots of fake Web sites to point back to their real Web site, just to increase their Google rank.

Back to the question. Are companies, and for that matter individuals, gaming the system? For instance, do companies have hired reviewers that create favorable review on Amazon? 

Early on, given the size of social networks, there was a lot of self-policing. We would talk about meritocracy and how you had to earn your right to have a voice—well, at least a voice that would reach the masses. But now social network sites are much larger and more mainstream. FaceBook alone had 222 million visitors in December. How can that large of a group police itself effectively? Who sets the rules?

There have been several notable cases of companies and individuals getting caught faking reviews, creating biased articles on Wikipedia, or voting up their articles on sites like Digg. Despite these challenges, it would seem that there are many factors that help to keep companies in check.  Many people take it as a challenge to try to expose someone gaming the system. Consumers can be skeptical by nature; this plays into it as well.

Perhaps the largest factor is trust. The strongest social networks are built on trust and if you want people to take your post, review, comment—whatever—seriously, you have to have built up social capital. Social network pioneers like Robert Scoble earn our trust even when they tell us they have been hired by a company as an evangelizer. As such it behooves companies not to lose that trust for quick gains.

In addition, the ability for consumers to join in on the conversation and have their voice be heard, not only keeps a company honest, but can also increases trust in the company. As their social capital builds, so does a new level of trust in the company. How can companies make sure they don’t appear to game the system?

Here are some tips:

1. Prepare a strategy for how your company should use social networks. 
2. Appoint a team or lead person to be responsible for you presence on the Web, not just your Web sites.
3. Provide guidelines for employees and make sure your employees know the rules. It may be that an employee that means well will falsely promote a product or service because they feel it will help the company. Let them know how this can actually damage the company. Let them know what they can blog, tweet, talk about and how to do it.
4. Join the conversation openly and honestly. If someone leaves a negative review or comment, don’t respond as a “fake individual”, but rather as the company. Be transparent.
5. Include social networks as part of your touch points in your brand management strategy

A good place to start would be to read Robert Scoble’s book Naked Conversations: How Blogs are Changing the Way Businesses Talk with Customers.

What are your thoughts? Leave me a comment and let me know. I started a poll on LinkedIn that asks: Do you think corporations should join in social networks, if you have a second, I would appreciate your input. 

I have been working on setting up new project management processes in our company and one of my colleagues passed along a link to Trac. After playing around with it for a couple days, I must say that it is quite an impressive app. It’s easy to setup (apt-get in Debian), easy to tweak (via it’s command line admin tool and even by tweaking the python based templates and code), and easy to use.

Trac combines a Wiki, bug tracker, and Subversion source repository browser in one Web app. It’s a nice mix of keeping project knowledge in one place as well as viewing and managing changes. I really like the simplicity and customizability of the tickets in the bug tracker.

Not only is initial setup a breeze, but ongoing project setup is easy as well. I was able to quickly add a perl script that not only setup the Trac project–with our particular customizations, but also created the source repository, and added the Trac project to the Apache config file.

If you are looking for project management support for your software projects, you should check it out.