Many websites provide services for registered members. In order to access the services, members must log in. Some websites place heavy burdens on their users by forcing them to use user-IDs, passwords, PIN numbers, etc. that are difficult to remember.
Of all organizations, one would think that the Usability Professionals Association (UPA) would know better than to overtax peoples' memories. However, they do: they assign arbitrary account names and passwords to members, and don't provide a way to change them.
Members of UPA receive a letter inviting them to use UPA's online services, and assigning them a user-ID and password. The user-ID is a four-digit number while the password is the member's family name. For example, a member named Fred Flintstone might be assigned the following:
The UPA website provides no way to change one's user-ID or password to something easier to remember. UPA members who want to use UPA's online services (i.e., those who aren't put off by the memory burden) are forced to either memorize yet another user-ID and password, or use an external memory aid such as keeping the letter or a sticky note near their computer. Relying on external memory aids raises the risk of someone else getting the user-ID and password, and also makes it difficult to access the online account from elsewhere.
A further problem with UPA's scheme is that it uses a number for the user-ID and text for the password, which is uncommon. UPA members can easily forget which is which and try to type their password in as a user-ID, and vice-versa. I've made this mistake myself.
A more subtle form of the blooper occurred at the website of one of my client companies. To log into the site, customers had to type their Personal Identification Number (PIN), which is essentially a password. The site allowed customers to change their PIN, which is an improvement over the UPA site (see above). The instructions warn users to devise a PIN "that is easy ... to remember", but then impose restrictions that make it nearly impossible to do so (see below).
The last line of the instructions -- juxtaposing the word "remember" with "please write down your PIN" -- would be funny if it weren't so annoying.
An even more subtle example of the blooper occurs at the website of Intuit Software. To purchase Intuit software through the site, you must register as a customer. The good news is that the site allows you to choose your own account-name and password. It even allows you to register a "password hint" so the site can remind you if you forget your password. The trouble occurs when the site asks customers to "select a security question" that it will ask if you forget your password and want your hint. You can't specify a security question -- you must choose one of the five listed in a menu (see below). But what if you can't answer any of those questions? For example, I have no idea what the answers are to four of those questions. The only one I could hope to answer is the one about my "childhood best friend", but our family moved a lot while I was growing up, so I had many "best friends".
I didn't bother to write down the answer I gave, so I just hope that if Intuit.com ever asks me who my childhood best friend was, I'll remember which "best friend" I gave it.
Here are some guidelines on how to design security measures that don't overburden users' memory: