A while back Ben, of the always excellent Noisy Decent Graphics has posted an astonishing example of shoddy thinking on the part of the Design Week website on his blog.

There’s all sorts of way to help a user who has forgotten or lost their password, and each of them have their pros and cons, but Ben’s example got me thinking abut the number of websites that require a user to enter their old password in order to set a new one (even sites that get almost everything right, like the multi-Webby winning Flickr do it), and I realised that just because something is common practice, doesn’t mean it’s a good idea.

Here’s why I think it’s bad practice: if a user logged in to get to the password-changing option a user has already verified their identity to the site. Why should they need to do so again for this particular task, especially since they don’t have to for most others? If they’re a hacker, they presumably know the stolen password, and repeating it is no trouble. And if they’re a legitimate user, then they’re simply forced to jump through an unnecessary hoop.

There’s an argument to made that requiring the current password will help prevent accidental password changes, but given that most sites require the user to type the new password twice in order to confirm it (and those that don’t probably should) I think accidental changes are still unlikely, especially if the form is well designed, so that users can’t be confused about what is intended to happen.

Can anyone think of a reason why asking an already logged-in user to type their password in in order to change it is a good idea?

I had a really impressive experience using a website over the weekend. After watching other people do a hard day’s work rearranging furniture, I thought I’d get some kind of takeaway. On a whim, I decided to see if I could do it on-line. A quick google turned up hungryhouse.co.uk - a site that exists to let you place order on-line with a variety of different takeaways. Perfect!
What particularly impressed me was the fact that I wasn’t required to register in order to place my order. They did take an email address, but they put my order through before asking for any more details than it absolutely required. At no point was I faced with anything that said “Sorry, you have to be a registered user to do that.” The whole customer service experience of the site was completely geared around saying “yes, go ahead”. So naturally, as soon as I’d made my order, I went and signed up properly, while I was waiting for my pizza to arrive

The pizza was late, but that was someone else’s fault, and you can’t have everything, can you?