UI Design Mistakes
A common mistake of user interface design is to come up with a clever solution to a common user problem, when you should work out a way to remove that problem in the first place.
My example here is the password entry dialog, in particular the GNOME Screensaver one.
The common user problem is that their password is rejected, even when typed perfectly, because the Caps Lock key is on.
The clever solution was to display in the dialog that the Caps Lock key was on, and thus hinting to the user why it might have been rejected.
The better solution would be to ignore the state of Caps Lock in all password entry dialogs, so it doesn’t matter whether it’s on or off.
flamepanther:
What if someone wants to use a mixed-case password?
8 October 2007, 12:28 amMatthew Garrett:
No, because it’s fairly common (I’ve no idea why) for people to use caps lock even when typing single upper-case characters. Good UI has to take into account what people actually do, not just what we’d like them to do.
8 October 2007, 12:34 ampaddycarey:
that’s what i was thinking, most people i know use mixed case passwords, almost every piece of advice on secure passwords i’ve ever seen has advised using a mix of upper and lower case
8 October 2007, 12:44 amKS Augustin:
Agree with the other two posters. I use mixed-case passwords all the time because it gives me the opportunity to mash things up and make several passwords from one, just by changing the case. (Also less work on the neurons!)
Don’t second-guess the user, especially with something as important as passwords.
8 October 2007, 12:48 amCarutsu:
I cannot disagree more with you, I use a password with mixed cases it would be terrible to just ignore the case: lower security.
8 October 2007, 12:52 amA. Walton:
I have to agree with the two users above, never ignore its state, just make the user aware of it. Throw in a label that says “Caps Lock On” when it’s on for password widgets, or do it like Mac OS X/libsexy and make a little green ball appear in the widget when Caps Lock is on. The “green ball means caps lock” is a bit silly to me (seems inaccessible), but that’s just IMO.
8 October 2007, 12:56 amgord:
hehe terrible idea
shot down by everyone is never a nice thing.
8 October 2007, 1:17 amRyan:
Indeed, it seems like a horrible idea to ignore a button press that it is entirely possible the user intended, just because some other people often mistakenly make the same button press.
8 October 2007, 1:24 amEthan:
How would people discover that caps lock was ignored, anyway? The visual indicator on their keyboard, the one that worked everywhere else, would suddenly stop mattering. That’s just inconsistent and confusing, which are both much worse than clever.
8 October 2007, 1:27 amMike Owens:
I don’t know why everyone jumped to the conclusion that this wouldn’t allow mixed-case passwords. I got the impression that Scott just meant ignoring the Caps Lock status in password dialogs. As in, pretend caps-lock is off even if it’s enabled, and allow Shift to work as normal.
8 October 2007, 1:32 amName:
“I got the impression that Scott just meant ignoring the Caps Lock status in password dialogs. As in, pretend caps-lock is off even if it’s enabled, and allow Shift to work as normal.”
Which is terrible because the user expects the Caps Lock key to “Caps Lock” the text. If some user wanted to type in a password using the Caps Lock key (for example, a password with more caps than non-capped characters), he/she wouldn’t be able to do so. Best to warn the user, not handicap them.
8 October 2007, 1:45 amMike Gauthier:
What if the password dialog turned caps lock off when it opened?
8 October 2007, 1:51 amJeremy:
Uh oh, really bad.
I have a friend that uses caps lock for all her capitals — she doesn’t touch the shift key at all.
e.g. to write “Hello World”:
1. Caps Lock
1. H
1. (un-)Caps Lock
1. E
1. L
1. L
1. O
1. space
1. Caps Lock
1. W
1. (un-)Caps Lock
1. O
1. R
1. L
1. D
Sad, but true.
8 October 2007, 2:04 amQuentin Hartman:
I’d be marginally in favor of a “turn caps off when the dialog comes up”as suggested above, but never in favor of ignoring caps-lock. Granted, large numbers of people accidentally turn on caps lock and have password problems as a result. However, taking away the user choice to use it is a bad move. However, I agree with your philosophy of avoiding clever workarounds. I think you just may have chosen a bad example.
8 October 2007, 2:29 amucf knights:
Then that would be a bug as well, although I’m not so sure that having a label on there is the best idea either. It likely shouldn’t mention it until the password is entered wrong once… I press caps lock before entering my mixed-case password to further confuse people who are watching me type it.
8 October 2007, 2:33 amTom:
What about ‘access impaired’ users who rely on caps lock functionality? Some people are only able to press one key at once. Actually, now that I think about it, I often see people make use of the caps lock key (I’m sure this applies to passwords as well as general text entry usage) when one of their hands is occupied, such as during a phone call or when eating.
8 October 2007, 3:39 amalex launi:
Yeah, displaying ‘caps lock is on’ is definitely the best solution to the problem. Some people WANT caps lock when they type their password. Imagine a password in all caps, someone just hits caps lock and types their password, they can’t get in because it was ignored. That would suck.
8 October 2007, 3:51 amChristopher Giroir:
I agree with most other users. There comes a point where dumbing down a process to the lowest common denominator isn’t a smart idea. The caps lock key has a very clear use and function. I don’t think a password dialog should change that. We’d probably have more confusion at that point if the function of a key changes only on one screen. Displaying if the key is on sounds like a fine solution to the main issue, that people don’t realize that their caps lock key is on.
8 October 2007, 4:17 amChuck:
From a helpdesk perspective, this warning is a key feature that cuts down on password access calls. I like it on by default, but wouldn’t mind seeing an option to turn it off in the options page as a standard maybe.
I understand what you concern is having the caps lock warning on the password page, but the arguments for your concerns are outweighed by the actions of the typical user. The warning has become a UI ‘feature’ for a reason.
8 October 2007, 4:25 amSandip Bhattacharya:
How about trying out the text the user entered to validate, and if it fails, flipping all cases of the characters and trying again? Would it be too insecure? It would reduce by half the number of tries a cracker needs to make, but since the probabilities against him/her are anyway so low, would it be too much of a flaw?
8 October 2007, 5:25 amBill:
Also, what about those people who due to some unforeseen accident, only have one hand and use the caps lock key because it’s easier than doing finger contortions with their other hand. I would find it very annoying to type my password without the caps lock key.
I also agree with many of the people above, never ignore its state, just make the user aware of it in a very obvious way . In my experience, after it happens to them a few times, most users figure out to check the caps lock key anyway.
8 October 2007, 6:06 amLevel 1:
I would like there to be an option to actually display the password as the user types it, as opposed to just dots. I know this is a major security blah blah blah, but people are almost never leaning over me as I type, and I’m not holding any government data so I can afford a little insecurity.
8 October 2007, 6:24 amLevel 1:
I would like there to be an option to actually display the password as the user types it, as opposed to just dots. I know this is a major security blah blah blah, but people are almost never leaning over me as I type, and I’m not holding any government data so I can afford a little insecurity.
8 October 2007, 6:28 amAthropos:
My mother uses the caps lock key even for one or two uppercase characters, because “she learnt it that way”. It would be terrible to change that possibility, especially when you don’t see what you are typing.
8 October 2007, 7:34 amPhilipp Kern:
Caps lock helps when you are typing passwords one-handed (out of whatever reason).
8 October 2007, 10:05 amwolfger:
Yeah, I’m going to have to pile on and say “lousy idea”. For example, one of the passwords I use is 4 capital letters followed by 4 lower-case letters and one number. I always use the caps lock for the first 4 letters, since those 4 are not all typed with the same hand.
You are correct that notifying the user after the fact is bad design, but your solution is worse. A better solution is to notify the user when caps-lock is on, *as he is typing* (because yeah, I sometimes hit caps lock instead of shift by mistake, and I can’t even see the little green light on my keyboard).
8 October 2007, 5:10 pmwolfger:
Yeah, I’m going to have to pile on and say “lousy idea”. For example, one of the passwords I use is 4 capital letters followed by 4 lower-case letters and one number. I always use the caps lock for the first 4 letters, since those 4 are not all typed with the same hand.
You are correct that notifying the user after the fact is bad design, but your solution is worse. A better solution is to notify the user when caps-lock is on, *as he is typing* (because yeah, I sometimes hit caps lock instead of shift by mistake, and I can’t even see the little green light on my keyboard).
8 October 2007, 5:15 pmwolfger:
Another UI design mistake: a Submit button (such as the one I’m about to press) that grays out after you press it, but gives no indication as to whether or not pressing it accomplished anything.
8 October 2007, 5:20 pmSascha:
I use a swiss german keyboard, there are some keys I simply can’t enter without caps lock (for example capital umlauts), so it would be a really bad idea to simply disable it, as it would be impossible to login with a password that contains such a char.
8 October 2007, 9:11 pmEivind Uggedal:
Like other people have mentioned before me: I’ve often witnessed inexperienced users (during my 1st line support duties) who use the CAPS-LOCK key for entering mixed case passwords.
9 October 2007, 1:50 amRobin:
Sascha: Don’t you have the umlaut “dead key”? It’s located to the right of the ü/è key – you can press it (and nothing will appear yet, that’s why it’s called dead key) and then write “U” and you’ll get “Ãœ”.
9 October 2007, 9:53 pmH Jalonen:
No, I see that the problem in UI design lies even deeper.
These comments have shown that some people seem to actually use Caps Lock key. But just like your suggestion and, overall, the need for notification about Caps Lock being on shows that for many people the Caps Lock key is totally useless and always in the way. Yes, useless! “It is too big.” “It is in the wrong place.” “Using shift key is much more handy.” etc.
People who need Caps Lock usually know that they need it and vice versa.
So to real solution: why there is no easy way to turn off your Caps Lock key? If I recall correctly, in Windows there is no way to adjust what your computer does when you press Caps Lock. Ubuntu is no better. Last time I checked (more than a year ago) there were seven (7) different choices for Caps Lock behaviour - none of them was “Off”. None! Feel free to correct me if I am wrong. Actually, this time I would be glad if I were wrong.
OK, this is not an ultimate solution either. A screensaver program knows who is using the computer because user has logged in and user’s preferences have been loaded, but what about login screen after computer startup. There the problem would still be present and a Caps Lock notification is needed. As always, if you have a problem, you will have multiple versions of the same problem.
9 October 2007, 11:52 pmalex:
If you knew how passwords were encrypted, you would realize that the password checker has no idea that your password rejection is due to a case figure. But since it sees that the caps lock key is on, it gives an advice that it may be your issue.
21 January 2008, 7:11 amIn fact the system only know a hash of your password, that was generated when you created it. There is no way to figure out the original password from this hash.
Then, everytime some program asks for your password, it in hashs your entry and compare the resulting hash with the one stored on system. And if it does not match, it is rejected.
You see, at no time you original password is compared, and so no guess about case sensitive can be done.
Jon:
on first reading I thought this was insane. Then, I thought, what if Scott meant take the text input, hash it assuming caps is off, hash it assuming caps is on, try both.
2 June 2008, 2:11 pm