Actually, most of this advice is too general to be good. Your website <i>is</i> special, and you should think through all of these questions rather than just taking a blog post's advice at face value.<p>Maybe you don't display it as an "account", but I can't think of a single commercial website where you shouldn't at least be taking an email address as part of the transaction. Yeah, users <i>love to complain about registration</i>, but I can tell you from direct experience that they love to complain <i>even more loudly</i> when they have a problem, and you can't find a history of their transaction because they never gave you a way to identify them -- I can <i>guarantee</i> that they never printed out your transaction record. Account-less purchases will have their way with you. Don't do it.<p>As for the rest of it, maybe it makes sense for you to provide OAuth options; maybe it doesn't. It really depends on the domain. Likewise, maybe it makes sense to offer "traditional" login, or maybe it doesn't (Tinder seems to be doing okay). The password advice is good.<p>Developers are this unique audience of people who have -- well, let's say "highly evolved" -- expectations about how web businesses "should" work. Most normal people don't share their expectations, so don't make assumptions without direct validation from your target audience.
> Use a slow, secure hash function like SHA-256. Don't use MD5!<p>Don't use a single round of <i>any</i> hash function, including SHA-256.<p>You shouldn't try to roll your own crypto, and you shouldn't try to roll your own password verification either. Use bcrypt and you'll get salting and you'll get a multi-round hashing process that has the ability to easily scale up in complexity as computing power continues to increase.
Some of us have been online for decades, and have seen our fair share of walled gardened apps with a login screen hiding the app. We are sort of used to registering, but we are also sick to the teeth of having to register too. The problem can lie in the micro copy too; you often see "10 seconds to register" or, "one click login". It is rarely that - it usually entails a frightful tale of password management, making the password match the requirements of the app (alphanumeric and maximum 8 characters nonsense), alongside a11y issues, PIA (Personally identifiable information) issues, and a slew of other barriers to entry.<p>Very much something that has gone un-noticed by developers for a long time, is that login systems are an obstacle and something to be avoided if we can. Login systems can not be solved with Single Sign On (SSO) / OpenID systems either. (Not all of us have FB/Google accounts, and never presume so) Every developer is scrambling to find a solution for the 'login problem', and completely overlook how login systems complicate things for their users. A lot of login systems suffer from Not Invented Here™ syndrome. Often online forms are a sort of 'mystery meat' where users don't know what to expect there. I once saw an account registration form asking to include an emoji character in my password, for example.
My favorite model is letting people use the app from the first visit, stored in a cookie.<p>"Want to save your work? Create an account."<p>Creating an account can use FB/Google, or local login.<p>First demonstrate value, and people will gladly save their work.
I never use websites that require me to have an account somewhere else. Either have no account at all (especially if you don't need one, that's just friction) or set up a minimal password system as an option next to FB/G/TW or whatever else is in fashion as external authorization provider.
Seriously. Our local burrito chain has a loyalty program where you get a little card, and so on, but you have a <i>password</i>. Right, because I really want to remember a Burrito Password.
This reminds me of the $300 million button: <a href="http://www.uie.com/articles/three_hund_million_button" rel="nofollow">http://www.uie.com/articles/three_hund_million_button</a><p>They significantly increased their revenue by simply allowing customers to purchase without having to create account.
By having you create an account I get your email. By getting your email I can start retargeting you for advertising purposes and perhaps even you will tick the box allowing me to send you spam. This is called customer retention.
As a platform that sells tickets to events (<a href="https://www.theticketfairy.com/" rel="nofollow">https://www.theticketfairy.com/</a>), I feel that I should make a counterargument to not making users create an account.<p>Our checkout process requires no existing account, so you click on the buy button, enter your name, email address and billing info, and you create a password at the end, after which you DO have an account. We feel that this is much better UX than most other ticketing sites that send you to registration forms before you can continue the checkout.<p>We used to receive many, many support requests from people who'd lost the email containing their tickets. We then added order history and the ability to download their tickets by logging into their accounts and this resulted in a massive drop in support emails.<p>Another key point is that most people realise they've lost the ticket email only a few hours before the event is about to start, so we get very panicky last-minute emails from people freaking out that they're not going to be able to get in. Just giving people the option to log into an account and retrieve their tickets not only dramatically reduces our workload but also provides them with peace of mind.<p>We're adding 3rd-party login shortly (primarily Facebook) but will keep email/password as an option. However, even with 3rd-party login, we'll still need to confirm the email address as most people are used to email as their delivery method.<p>Saying all this, most of the advice in the article is valid and we follow many of the points. Our username is the email address and we enforce HTTPS on all pages (with HSTS headers).
This can go too far in the other direction too.<p>My latest project was a sunglasses/eyewear design site, where people could design their own glasses (I had a tech stack on the backend to make the glasses in my studio - the company is an experiment in mass customization).<p>I went to great lengths to allow people to use the software without creating an account. In the end, I probably spent two weeks trying to get it to work properly with all the edge cases - saving the anonymous design when they do finally create an account, locking out certain features that required identity, appropriate warning dialogs when work was going to be lost, etc.<p>And I still had edge cases. I burned two or three weeks trying to accommodate account-averse people, then had to spend another two days yanking it. That effort was based on my personal distaste at having ten billion website accounts, a distaste probably widely shared here on HN and likely nowhere else.<p>(This isn't an argument with Ben's points - his example use cases clearly don't need accounts.)
I agree with the author that in the short game not providing your own accounts is attractive. However in the long game it doesn't look so good. Unfortunately there are problems with using federated auth everywhere.<p>* It's a single place for a compromise to occur - the devastation of a serious identity provider hack completely upends the security of huge swaths of the internet in a single shot<p>* Breaks in fedauth protocols and implementations, similarly, presents a large auth crisis for the entire Web<p>* It's a single place for legal or extralegal pressure for governments to access services and data on behalf of everyone<p>* It creates market friction. If federated login had been around in large numbers when Myspace was the big social platform we'd still be using Myspace for the sheer reason we need it to vouch for our identity. It makes the big fedauth players 'too important to fail'<p>One should consider options carefully and determine whether a good user experience can be offered without further centralizing the Web.
> <i>One of my pet peeves in website usability design is forcing people to create unnecessary accounts.</i><p>This has been a pet peeve of a vast number of web surfers for over 15 years now.<p>In the early days, this pet peeve created a backlash in the form of a custom. The custom went like this:<p>1. When confronted with an annoying site asking you to log in or register, first try the account name "cypherpunk" with the password "cypherpunk".<p>2. If that works, great.<p>3. If there is no such account, then create one, for the benefit of future visitors who participate in the custom.
There are variations on this: pluralizing to "cypherpunks" and possibly using the "cipher" spelling.
I felt oddly vindicated when he mentioned Ticketfly specifically... It irked me too that they don't allow guest checkout, so in making <a href="http://showboarder.com" rel="nofollow">http://showboarder.com</a> I put in the extra thought/effort to make it an option.<p>That said, having implemented this I can see why many services don't. It's an entire other case to consider when thinking about security, user experience, etc. and for many it could definitely be more trouble than it's worth. It's just a question of values if you make it a priority or not.
This advice is too generic. There are many, <i>many</i> applications where a persistent identity is required. What would happen if Hacker News had completely anonymous users? :P<p>A ticketing startup is a good example of a startup which could be used without a dedicated user account. But that's the minority.
> Always allow your users to close their account. This should remove all information about them from your service to the extent possible without disrupting the integrity of other information.<p>I think this would be much better if it answered the question "Why?"
Why not let users complete their transaction with only an email and payment info — and then send an optional account confirmation link along with their receipt?
The worst thing about having to register an account on damn near everything is the security implications. I lost track of the number of unique passwords that are stored in my LastPass a long time ago. Seriously, the number is absolutely ridiculous to the point that trying to manage those accounts manually and in a secure fashion is, I'd argue, too much of an unnecessary burden on people.
"My bank limits passwords to 14 characters..."<p>I chuckled at that, since <i>my</i> bank limits passwords to exactly 6 alphanumeric characters.
" If you do have password requirements, show them to the user before they try to make a password. "<p>& again as help text when they're logging in.<p>Constantly have to reset passwords on obscure sites because I don't remember that I've been forced to use, e.g. no symbols. No use just telling me that on sign-up & expecting me to remember 6 months later.
If you want your readers to follow your advice, tell them _why_ they should, and not simply _what_ to do.<p>See what I did there?<p>Are readers of this piece supposed to follow the advice, like sheep, simply because they are told to? Or because they will get more usage? Or because it will make the world a better place? Or some other reason? We can only guess.
> My bank limits passwords to 14 characters, which is rather absurd.<p>Similar with Paypal.<p>What's most frustrating, when you login it lets to enter as long password as you want. Which is when it leaves you wondering why your password does not work.
In addition to the other threads, the fact is businesses need contact information to make money. Upsells, deal emails, etc., are all a critical part of their revenue streams.<p>So removing this would cost them a great deal of money.