…or at least annoyed me today.
I’m new to this “Web 2.0″:http://en.wikipedia.org/wiki/Web_2.0 thing, but I’ve been getting up to speed over the last few weeks. To do so, I got hooked into Flickr, del.icio.us, and Technorati among others. More on all that later.
I’ve also been “a bit busy at work”:http://evdb.com/blog/, too, so I wasn’t able to get back to Technorati for a week or two. When I did this morning, I found that (like usual) I’d forgotten the username and password I’d used. The usual suspects didn’t do the trick, so I popped my e-mail address into the Forgot Password link like a good little user and proceeded to Gmail to get enlightened.
That’s when it all started going wrong.
The e-mail I received wasn’t very informative, but I assumed it wouldn’t need to be because it consisted mainly of a “reset password” link back to Technorati. However, following that link took about 16 years (or the Web equivalent, 20 seconds), so I started to get nervous. When the page finally appeared, it was as sparse as the e-mail had been, just a pair of “new password” boxes. This wasn’t exactly the rich user experience one would hope for in an interface as important as “Change Password”.
Still, I wasn’t being prevented from proceeding… yet. I typed in my usual “Web-type services that I only use infrequently” password twice, clicked Submit, and… um, what the hell is that? A longish hex value at the top of the page and the same two entry boxes again. I’m not sure what “0bd64a720b489766fe0289775021a7da” means to Technorati, but to me it means they goofed. Even worse, re-trying my newly-updated password put me right back where I started, with “Forgot Password” my only avenue.
Just to recap the issues here:
* The Forgot Password e-mail is being sent to a) users in need or b) users who are under identity attack. Provide more information in that e-mail, like “your Technorati username is blah” or at least “if you didn’t request this e-mail, no action is required to prevent your password from changing.”
* Say it with me, “Web users only wait 8 seconds before assuming there’s a problem.”
* The Change Password page should also list, at minimum, the username being changed. If I can request the change knowing only my e-mail address, then the odds are that I’d benefit from learning the username.
* If you’re going to fail, fail with informative error messages. That hex value was probably either a debug message or a missed internal connection, but I can’t honestly believe that I did anything so unusual that it couldn’t be caught by a unit test or use case.
In fairness, the Forgot Password page provided an e-mail link to handle cases like mine. Hopefully they’ll know what happened.