Wednesday, April 14, 2010


I used to work at a company that shall go unnamed, where we had a mobile application with a simple screen to accept dates. For some reason I don't remember, we didn't use a date picker, but used the on-screen keyboard. When we implemented this screen, Product Management came back to us and said, that the field did not work as designed - it allowed single character days and months - it should only allow 2 character days and months. So instead of typing 1/1/2009, the user would have to type 01/01/2009. Additionally, it also allowed the user to use a hyphen, but it should only allow a slash.

This is plain ridiculous, why should you force the user to type out the unnecessary zeroes? Isn't that what computers are for? To do our work for us? And why force the user to use a slash when they might prefer to use a hyphen? Having rules for the sake of having rules does no one any good, except maybe it feeds the ego of the one making the rules and make for thicker design documents. Especially where usability is concerned, arbitrary rules like this make for a more disappointing user experience. Forcing the user to type more than necessary can break an otherwise pleasant user experience. Now, you might argue that we should have gone with a date picker to begin with, and you'd probably be right, but I'm simply using this as an example of arbitariness.

Another example is password rules - Thou shalt use a mix of upper and lower case and numbers only - no special characters and only up to 8 characters long. And each site or application has it's own rules, it's impossilble for someone to remember. You either resort to Roboform/1Password but most will resort to sticky notes stuck on the monitor. So, the silly rules that were in place to enforce a 'high' standard of security really do the opposite (with the sticky notes, I mean). I'm not saying that there should be no password rules or allow people to have one character passwords - but the rules should be simple enough that people can use any reasonably complex password that they can remember. For example, most password rules will not allow spaces. Why on earth not? Some will not allow special characters, probably because the database queries are not parameterized and some special characters will break the queries - so let's catch them at the UI.

My recommendation for password rules - have a minimum length based on how secure your application needs to be, that's it. No characters required or disallowed. No maximums - at least nothing ridiculous like 8 characters. The maximum length allowed should be fairly long - like 64 or 128 characters.