Ardent Dev - Bad Error Message == Bad Usability

Wednesday, April 26, 2006

Error messages should be helpful. Bad error messages disrespect the user by saying, "something is wrong but I'm not going to tell you". I've made that point before.

Today I was treated to a paragraph-long error message explaining password complexity rules. The password that failed was this:

3"[cU8jlBe4vG}Zx{3^6@3

Look at this password with me. It's plenty long (22 char). It has numbers, uppercase characters, lowercase characters, and non-alphanumeric characters. It's a good random password. It was, in fact, randomly generated by Keith Browns's PasswordMinder.

I dissected the paragraph of error message to find buried in the middle this rule: must not have been changed within the last 1 day. Oh. The problem was not complexity but that my password had been reset yesterday. Here I was trying to be responsible by immediately changing my password after having it reset...

What really irks me is that the error condition is known specifically but the error message is generic. If the regular expression for password validation fails, tell me that the password is not complex enough. If I used the same password in the past, tell me that. If I cannot change my password today because it was changed yesterday, tell me THAT.

When the specific error condition is known, tell the user exactly what is wrong and whether or not it is his/her fault. That way he/she can act appropriately without resorting to detective work.

Posted by Derek Hatchard 4/26/2006 1:40:01 PM (Atlantic Standard Time, UTC-04:00)

Disclaimer | Comments [1] |

4/26/2006 5:32:41 PM (Atlantic Standard Time, UTC-04:00)

Hi Derek.

This is a great post. Unhelpful error messages are a persistent thorn in my personal productivity, both as a user and as a developer.

This reminds me of a past project where I used a Web Form to allow the user to change their Active Directory password. The code I used was something like this:

Dim oldPassword As String = Request.Form("txtOldPassword")
Dim newPassword As String = Request.Form("txtNewPassword")

' Get the user's AD account
Dim deUser As New DirectoryEntry()
Dim dsUser As New DirectorySearcher(deUser, "SAMAccountName=" & CurrentUser("lanID"))
Dim adUser As SearchResult = dsUser.FindOne()

Try

' Attempt to change the password. Restrictions will be applied by AD
' (password length, history, etc) as defined by the domain password policy.
Dim deUserEntry As DirectoryEntry = dsUser.GetDirectoryEntry()
deUserEntry.Invoke("ChangePassword", New Object() {oldPassword, newPassword})
deUserEntry.CommitChanges()

' Redirect to confirmation page.
Response.Redirect("passwordSuccessfullyChanged.aspx")

Catch ex As Exception

' Display the error to the user
lblError.InnerText = ex.InnerException.Message

End Try

As it applies specfically to your post, if a password change attempt failed, I was unable to determine which item in the password policy had been violated. I would just get a generic Active Directory message about "failed to meet policy conditions" or something (I don't remember the exact message). Naturally, the AD policy in place at the time also had the "can only change password once per day" restriction and this caused me no end of grief with users who, just as you described, recently had their passwords reset by the help desk and were now trying to change it themselves. I never was able to find a solution to this problem.

Very frustrating.

Cheers,
Andre

Andre Perusse |andre dot perusseAT NOSPAMgmail dot com

Name
E-mail
Home page

	Remember Me
Comment (HTML not allowed)
Enter the code shown (prevents robots):