General Musing

Why don’t website designers simplify web forms?

How often are you asked to put in your email address twice? It’s not like your password which you can’t read, you can read it to see if it’s correct. With predictive browser forms it’s usually just typing in the first letter so you get the email address that is already stored in your browser. Yet they will make you copy paste it into the next field as they don’t use a consistent naming convention for the second mail address field. There is nothing stopping them from naming the second field the same as the first, it’s perfectly valid and any worthy programmer can simply extract this information within JavaScript or on the server side if they have a valid reason for using the second instance. Although IMHO they shouldn’t, the user creates credentials and a faulty email address can simply be reported to the user when he/she tries to login with their credentials. There is no reason for the credentials not to work if the mail address is faulty, perhaps the user is granted the same rights as an anonymous user until he/she has validated the address or the defined timeout for the address expires. A requirement could very simply be added so the user must validate the email address to use these credentials, but allowing the user to use the credentials to change the personal information which has been send to them.

Another thing is the web designers who define what I can put in certain fields. Honestly is it so difficult to check the definition of allowable characters for such things as mail addresses (rfc822) or creditcard numbers and either disallow based on malformed addresses or as is the case with phonenumbers or creditcard numbers remove characters that shouldn’t be in there. And yes a + is valid in a phonenumber when indicating international access code. In the worst case a simple search and replace s/^+/00/ is perfectly acceptable. Postalcodes (Zip) are another thing, a zip such as W12 8N5 or 1011 XD including the space. International post directives even allow for the prepenting of a countrycode to the zip, making the Netherlands zip NL1011XD perfectly valid.

And autodetection of location is so wide spread that I shouldn’t need to fill in which county I am from, if it detects the language for the country I am in on the front page – which I hate – why do I need to say that I am not in the US, but in a different country. You’ve internationalized the form, but still need me to modify the country field. Why? And why not allow the browser settings to override the language. I’ve configured my preferred languages in my browser and waste at least 15 bytes giving the website this information for everything I request.

Lastly security questions, what makes it a good idea to require me to fill in a strong password when you cripple the security with mandatory security questions. My mother’s maiden name which you can find within seconds on the Internet. Or my pet’s name which I’m sure is in my blog somewhere. The city in which I was born is the city I live in. Furthermore I know my passwords, if I don’t know my password it will be because the requirement for strength was so high and restricted so many characters that I had to use a password that wasn’t in my standard list of over 100 medium strong to very strong passwords. And honestly what’s wrong with certificates or OpenID as a source for identity? Do I really need to even push page down to reveal my browser’s history for that field? I can have it send over from a verified source. You don’t even need to check that it’s me, somebody else has done it already. Sometimes ever up to the point of truly checking my identity such as can be done with Verisign.

Source: Hashing Email Addresses For Web Considered HarmfulTechnorati Tags: web , html , form, rant