I have worked in UX for over a year now, and nearly every single day, I learn something new from my team or from work we're doing about how to improve the user experience.
One of the general principles we try to operate on is of course the classic "K.I.S.S.": Keep It Simple, Stupid... unfortunately I often see us or other applications ignoring this rule in one of the seemingly simplest parts of our UI: strings. Just changing a word or two or cutting a sentence can sometimes have a vast improvement in the usability of the app.
Speaking as someone from an engineering background, I know first-hand how difficult it is to take off your geek hat when you're designing software for non-geek users. Coming up with good strings is sometimes straightforward, but often not - it takes just as good of an understanding of your user, their mental models and how they think in order to come up with good strings/text as it does to come up with good UI. I was just in a UI spec review today where an editor was sounding the 'geeky alarm' every five minutes.
Take, for example, this authentication dialog from the SSH client I use:
Pretty simple dialog, really. I use this client several times a week (and have for years) and I'm so used to the omnipresent user/pass combination of fields that I literally didn't even read the strings until today. And when I did actually read them today, a few thoughts immediately came to mind:
#1: Why bother telling me "Authentication required."? It's pretty obvious what the user needs to do from the existence of the two input fields, ubiquitous in any e-commerce site or email client, etc. The more visual clutter on the screen, the more likely I am to tune things out or wildly start guessing what I'm supposed to do. The simpler the UI, the more Zen I feel, the more likely I am to take a patient approach.
#2: "Passphrase", seriously? Assuming that's not a cultural thing (e.g. perhaps that's the phrase for 'password' that's used in England and this app was developed there), "password" is a better word. [update: see comment thread for a further discussion of this, i'd forgotten about this term when I first wrote this post]
#3: "Remember password on memory" - geek alert! Would you really tell your parents to remember their passwords on memory? How about just, oh I don't know... "Remember password"?
Every simplification we make in our strings also has an added benefit in that when the strings are localized, it's more likely the translation will be accurate and succinct (and fit in the space allotted, we usually allow about 140% width of the english string).
Now if only I were good about being succinct in my own blog posts...
I know this is nitpicky, but they should have "Remember Passphrase" if they are going to use Passphrase instead of password.
Not at all nitpicky, I wasn't thinking about that at all as I wrote it, because I've *never* used a passphrase, except with maybe PGP 10 years ago. At any rate, I still think it's odd to have it in this dialog because they don't control the server and can't *require* it to be a passphrase, it's just a generic telnet/ssh client... so the likelihood that a passphrase is used seems very minimal to me.
I agree "passphrase" sounds unusual, but I think it was an intentional choice by the authors. It is not a foreign term or anything, but just meant to emphasize that you need not choose a single word to use as your secret, since longer secrets are more secure. I know a lot of ops type people who use short sentences for SSH authentication.
I think an SSH client is kinda geek oriented to begin with, so "passphrase" may be appropriate for the intended audience.
Andrew - fair point on audience, however what I think is interesting is that geeks still react to UI in similar ways to "normal" end users, e.g. the busier it is, the more likely they won't read it, and if they don't read it, what's the purpose of having the string there in the first place?
You're a geek. Do you use passphrases to authenticate to any service? How long is your longest password?
I'm fully accepting that you might say "Yes, all of my passwords are actually passphrases", at this point I'm just curious :-)
My work login password is a passphrase. The longest I've used so far was 22 characters. I do still have a website password that is as short as 7 characters, but that's only protecting my profile on some sites that I really don't care much about (pretty much just protecting me against someone posting as me).
The longer the passphrases get, the more difficult it can be to type them accurately. Perhaps the practice of hiding the typed characters needs to become optional, to allow the user to trade off the risk of over-the-shoulder attacks against the inconvenience of typos in the passphrase.
I'm not Andrew, but I'd like to chime in -- I use passphrases wherever I'm allowed to, now. I find that they're easier to remember. I've even got my wife and kids using passphrases on our home network -- again, we found that the kids had a much easier time remembering a sentence than they did an arbitrary tangle of characters.
(Yes, I enforce password complexity at home. Never too early to teach kids proper habits.)
I have another gripe is with people who write websites and applications that have stupidly short maximum password lengths or that prohibit the use of symbols. I just don't see the sense in that one.
Did someone already mention the whole disparity between the use of the term password and passphrase in the same dialog box to refer to the SAME THING?
Uh, either it's a password, or a passphrase. If it's a passphrase (semantic point in comments duly noted) - then that last box should read "Remember PASSPHRASE on memory"
Ye gads! Don't get me started... ;)