by Ron Daly
I came across this story the other day from Usability Post which asks "Is it time to make 'Remember Me' the default for password protected websites?" This question comes as the result of a few articles about password memory, one which asks if it's time to do away with the option of "Remember Me" and go with automatic login. Another article by web-genius Jakob Nielsen suggests we get rid of the "dots" in the password field (i.e., "Password: ******"), because doing so would increase confidence in those who have trouble with passwords and save them the trouble of copy-pasting passwords.
What do I think? No. To all of the above, I say no. No, no, no.
Maybe I'm a little kooky about auto-login and password protection standards. I have to be, it's part of my business. DigitalMailer has lots of clients to manage and those clients all fall under the heading of "information too important to compromise". So we don't use "auto-fill" here, we don't use "save password/remember me" fields, we don't have "oops, I forgot" lists for passwords - none of that. We don't do those things because we value our client's safety. I don't know that it's such a great idea to do with your OWN information, either.
Let's perform a little test, here - look at your inbox. Work, personal, whichever one you want, just look at it. Take ten seconds, read all the email subject lines you can in that time.
How many of those should NOT be read by a stranger? How many, if someone you know (or someone you don't) opened them, would be damaging to you? You really want to invite people to read your email by making it easy to keep a password set for your account?
I can't tell you "get a better memory" as a tip to help you with password saturation which is a problem these days. The other day, one of my employees mentioned they clicked the "forgot your password?" link on a website and the website scolded them. "HOW HARD IS IT TO REMEMBER A PASSWORD?" the website chided. I thought that was a little intense, but for sites you're using day to day, making passwords a personal procedure of yours increases your safety and the safety of those associated with you. Some of the protocols listed in our company's "Ten Commandments of Security":
Email is NOT secure - don't send passwords via email, don't send personal info (SSNs, driver's license numbers, sensitive data), don't leave your email open when you're not around - even in the office!
Laptops and PCs are not assumed to be secure - with a special focus on laptops. If you're hauling your work around, be mindful of the safety of that information. Don't download crazy stuff, keep your kids/friends/spouses out of your work machine, and keep your information and connections password protected.
Passwords are NOT optional - We demand strong passwords on all network connections and don't allow "remember me" applications or scripts. Our employees go crazy with all the passwords they have to remember, but that's part of their job.
It might be a holdover from Web 1.0, sure. But it's there because it's necessary. Don't make your information easier to get. Ever.