19 Ways to Simplify ‘Sign Up’

I’am constantly abused by point 2 and can’t find justification for it. It’s like getting trend in these days. I have written little post about it also which can be found in my blog http://eagerfish.eu/password-strength-validation-user-experience/

Most of the web apps kind of assume there is one person behind an account (based on email address). If on a web app if a user can have multiple profiles then a username metaphor would fit better. Just wanted to point that out.

I would not recommend including a plain-text password, especially one they “use for everything” in their welcome email. email is not terribly secure and it’s not good to leave records of credentials sitting around. Best practice is to provide a reset password function and never store the unencrypted password anywhere or send it to the user.

I’d add: use the same form for signup and logon. Just ask for an email address and then display the appropriate fields (eg. password or minimal signup info). Unlike others, including examples sighted in this article, Instapaper gets this right… and it’s ux is much better for it.

It’s a really good list, all obvious but I think we often forget the obvious, so those things are normally the most important to remind people!
I would agree with Jacob that you should never put the password in the welcome email, it is not secure and certainly not if you are suggesting allowing them to use the same email they use elsewhere. The forgotten password is something people are used to and if you have used there email address as a user name then it is easy to get.

Account activation, as in confirm user’s email, is indeed necessary: if email was mispelled there’s no way to contact user…

Srongly inspired by http://theoatmeal.com/comics/shopping_cart

I have got one : a experimental method to visualy recognize you entered the right password without disclose it.

opinion needed!!

http://lab.arc90.com/2009/07/09/hashmask-another-more-secure-experiment-in-password-masking/

Account creating form only with one field “email” and new random password could be send to this email with automatic link to account settings (this can be handled by create unique token for the user and put it in url) where user can change the password and set other fields like user name etc. It should always point to settings, so user can change their password if they forget it.

Don’t make me sign in every time I visit the site. Just keep me signed in for 2 weeks like on Yahoo.

One word: OpenID.
I wish it became the standard for the vast majority of websites a long time ago, except for those that could benefit from the added security of a new user/password combination (financial sites, for instance).

Is there any particular reason you didn’t mention it? I have never implemented it on a real website so don’t know if it’s significantly harder when compared to the more traditional approach.

Great!
As others mentioned above, OpenID & OAuth (Twitter, Facebook, and more..) sign-up is crucial at least for a couple of sites (banking sites excluded).

Good article, thanks. Just one question: what are the pros/cons of using eg facebook connect/linked in? This should speed up the registration process. However I am not sure what it means wrt ownership of user registration data.

I’m not interested with your holidays!
Please don’t use my email address to send newsletter or such! Ask me while signing up or let me join by myself…

Tell me you require a certain password format (e.g. mix of letters and numbers) right on the sign-up form not in an error message after I’ve chosen a password.

By telling me up front you’ll also lessen the number of times I forget my password since I won’t have to fight with my brain to remember the password you forced me into rather than the one I chose initially. By lowering the barrier to remembering my account details, you increase the chances I’ll come back to your site.

Use regular form fields, not some made up JavaScript thingies. Otherwise my browser’s password manager will fail.

“Use my e-mail address as account identifier” and “Oh, and do you truely need me to activate my account?” don’t work well together – if you actually use the e-mail address as the unique identifier on an account, it is imperative that the user verifies it – otherwise I could set up an account using, say, info@baymard.com everywhere I wanted to, and it would (although in small measures) be identity theft…

Otherwise: stellar article!

With regards to an online store. Instead of requiring account creating before check out. Have an option to use the included information to create an account.

In a previous shopping card I worked on, we simply had a check box for ‘create account’ and if checked it opened a div ti add the password.

Then the user doesn’t need to step out of the checkout funnel, or enter the information more then once.

actually you have to type fkr92pd

I wanted to add one in:
If you goto a login page and type your email address or username in and realize that you’ve forgotton your password. When you click the ‘forgot password’ link and it takes you to the next page, the website should automatically move the email address or username that you’ve already typed in to the next page.

I’d recommend being very careful about using the same form for sign-in as registering. It’s very easy to create a confusing page that acts as a virtual brick wall for new users. If you’re going to do this try including the question “Do you have an account already?” in the way that Ebay does.

Another option is to favour new users in the design giving registering more emphasis than signing-in. This makes signing-in more difficult than it could be but works on the assumption that you’ll work it out the first time and then understand how to do it. You’re more likely to lose a new customer than an existing one when you add points of friction.

You could skip the “repeat password input” and just use an input that shows the actual password as you type it in. One less field in the form. For the users that need the discretion you could always have an option box next to the password input field for toggling its input type.

That would make it a bit annoying to change if you noticed you’d typed it wrong.

Make the CAPTCHA invisible!

This ain’t gonna work on huge sites that are specifically targeted by spammers, but here is a nice trick for the normal mass spam victim site:

a) Add a form field labeled “Homepage” and prefill it with a default value, like “http://dont-fill-this-out”

b) make the label and field invisible using CSS (display: none;)

c) in your script check if the default value was altered. Spam-Bots will fill out all fields and are not capable of understanding CSS.

Who ever fills that out is a bot….

Decouple the email address used for username and the email address used to make password resets. By default, make the latter the same as the former via a checked “use same email for password recovery”. This is as I may lose access to that email and my password to your website.

Great advices!

Another important thing when the users have to enter data: show clearly the data-entry format. Some sign-up forms are a nightmare when you have to write dates, phone numbers or zip codes.

"
17) Don’t make me enter my password twice (added by Nibo)
You could skip the “repeat password input” and just use an input that shows the actual password as you type it in. One less field in the form. For the users that need the discretion you could always have an option box next to the password input field for toggling its input type.
"

Please, don’t. The reason to ask the password twice is to make sure the user KNOWS the password. I doesn’t matter if you echo the password on the screen or not, if you ask it only once, the user will mistype it, not see he mistyped because he skipped to the next field in a rush, finish his signup and be frustrated that he can’t login and say your app is broken.

I’m all for using e-mail addresses as usernames in the sign up/sign in process, but please don’t use it as a unique identifier if that means that I can’t change my e-mail address later.

I’m a journalist learning dev skills. This is a simple, no nonsense post.

Thank you for the great posting!
I translated this post into Korean. The translation is posted on my blog.

You may see it here:
http://elco.tistory.com/entry/회원가입-프로세스를-심플하게-만드는-17가지-방법

If you mind, i’ll remove the translation. Please reply me. Thank you.

Disagree with the email address as a rule. It really depends on who is using your site and what they’re using it for.

Some applications do not allow you to change your user name once you have signed up, and in those situations you should definitely avoid the use of email addresses.

If you sign up at work, for instance, and then leave the job for another position you will end up having to use your old email address to sign in, or create a new account and lose the last account. It makes matters even worse when people use the email address as the user name and then don’t collect another email address.

Probably doesn’t need to be take off the rules, but definitely should be considered carefully when putting together your registration package.

Don’t ask for information that you can obtain other ways. If you would like to know the location of the user, but don’t need an exact address (say.. To give to a territory manager), use a service that can get the location from the IP address. 90% as effective and removes 1 to 5 fields over asking for address, zip or country. Obviously less fields increases signup.

Spread your signup process out as much as possible; have just a user/pass field, then ask for the email address on the next page. Asking for less info up-front is less intimidating, and once they are committed (already typed in a user and pass) they are less likely to bail when you just want one more bit ..

I never use capthas in the regular sense – they visually ugly, intrusive and just plain annoying.
What I do for that is have javascript generate a unique target for the form post.
none of the spammer scripts i have seen are able to parse Javascript.

Dont require logins/accounts unless absolutely necessary.

in some countries the email activation is required by law including the US.

I’m more hardous. email WON’T be mandatory !!

Email is not certified. We make him overconfident.

Email is just a notification system like another.

A trust him too we have seen recursive bullshit like “you lost the password of your inbox, click here to reset the password. We sent you a new password via email”

A trust him too let make very sever security protection on your application but forget that you delegate your security to an out of control security system. (best way to hack a lot of account is to hack the mail box, scan account reminder and welcome in archive, run a “reset password on the fetched list and take over the accounts”.

Don’t belive in mails !

Here’s an idea: integrate logins and signups using Facebook, Twitter, LinkedIn, etc. Research proves that conversion rates go way up when using these popular services.

Here’s one more idea: if the user submits a form and it returns an error, don’t make them retype in everything! Nothing makes users leave your form faster than having to fill out everything again, because there was a minor problem with the data.

Everything on here is relevant and after reading the comments, – I agree with Jeffrey, don’t make me retype everything. It’s intensely annoying – especially when it doesn’t tell me exactly where the error is.

The password thing is so annoying! It just forces mainstream users to write down their passwords or never come back because they can’t remember their 6-10 letter password with one number, no symbols and one uppercase and lowercase letter.

xkcd says it best: http://xkcd.com/936/.

Thank you for this post, very useful.

Also regarding password requirements, I would just link that xkcd comic in password field description :)

I strongly support OAuth. nearly all users have account in google, facebook, yahoo or microsoft and all them give us great API to work with so there is no need to create a new account for every individual site.

One thing I love:
I’m not sure if I have an account with the website. I go straight to recover password and they tell me if I do or do not have an account there. I just hate when they say “If you have an account with us, we’ll send you an e-mail with the password recovery.” And then you don’t know if the e-mail was sent or if it went straight to junk. Extra work for you.

One thing I hate:
I know I have an account. My e-mail is my user. I try to login with some passwords that I use but all are wrong. I already typed my e-mail address as the login, but I have to type it again on a Password Reset form. Why? My e-mail is already there as my login! Use that!

All what you mentioned have their pros and cons. for example captcha could be hard for some users to be decipher but it’s necessary for blocking spammers and bots.

Even though it is old, it is a very useful article. However, I have some concerns.
You say don’t ask email and password twice and you also say sign the user automatically.
This means that if there is a misspelled email address, the activation link can be sent to a stranger who can click it and login automatically to the site. This is not blocking since your “real” email address is free to re-register with, however if you have entered additional profile information (e.g. demographics) there will be a security issue, since someone will be using the site with your email and personal information, but a different email address.
Therefore, what is the best way (usable but also secure) to ask for account activation?
Ask to retype email or ask to login after activating account?