How about a timestamp?

There are some of us who use different usernames too, makes for a lot of combos, and changes the problem a bit.

What about a subtle background color change?
- perhaps not accessible

What about a clear message?
- "This is your xth attempt and you have yet to enter a valid username/password combo. So far you have tried the following combos:
1. kabloeee / *****
2. Blakoee / ******
etc."

Would that be revealing too much? You could state how many tries the person has left to get in...

(love the buttons on this site!)

Well, You did mention the command line interface approach. Why not just do that - list all previous attempts.

Another more simple solution would be to have an element on the screen that always changes - BUT, the element have to play an active role in the sign-in process (like the headline or something ). If it does not play an active role it will distract the viewer and move their focus.

Why not add a method that asks the user to perform an action before continueing. This way they know if the page is new or not.

A) Have a javascript alert box that states the password is wrong. The user has to click on the alert before the page allows the user to continue

B) Have a relogin form hidden or grayed out (CSS?) and when the user clicks a link to acknowledge the error ("Continue" or "Try Again"), the form become active.

I like idea B even if it's more technology dependant because of the flexibility it could add. How about a link to "email me my password" or "register"?

What about having a number of error messages? I guess this could be confusing potentially confusing because users could think it was a different error, but changing the title of the error message would be useful. Something like:

Oops!
Your username and password didn't match one in our records. Please ...

Sorry...
Your username and password didn't match one in our records. Please ...

Uh-oh!
Your username and password didn't match one in our records. Please ...

Then you cycle through those three titles and users will know that the page has reloaded.

I think that the best solution yet, considering contingency and defensive design is:

1) Enter User Name / Password

2) The User Name / Password you entered is invalid. We have a user with than name but the password is invalid. These are other User Names we have in our database that are similar than the one you entered: ... If yours is one of them, please try again.

3) The User Name / Password you entered is invalid. If you wish, we can send your password to the e-mail you provided, which is: ... - Send Password.

However, the real issue here is that simply there's no way we can remember all those user/combos. I think what we need here is a browser gimmick (an encrypted key) that clearly identified you. Maybe it could be stored in a special-purpose usb dongle that you kept in your keychain. When you inserted it the browser would connect to a database and automatically login you to the sites you wished. Then it would, for safety reasons, remain you login to that browser session, when lost mandated you to re-insert again.

You could also do a bluetooth version of it. When you were near it automatically unlocked the computer and gave you logins to the pages. Go away and it's gone. This would be even better.

Yes, I think that would cover all these issues.

Add this to step 3) just after the error statement:

Do you have Caps Lock on?

Our policies for usernames are maximum 6 char, no spaces and for passwords it's...

This would help, IMO.

About the dongle, maybe it could be USB and Bluetooth, giving it more thought. It you be your Digital ID. Of course an implant would be nice too, but that's just scary...

Bruno, As for Caps Lock; why not make the sign-in system indifferent to whether it is on or not? ...or whether they write any character in upper or lower case.

I have made systems do this for many years, and makes a sign-in process easier for everyone.

But, I do like the bluetooth idea!

WelI, I didn't really meant Caps Lock. I meant general tips for the user that he might be forgetting. That was just an example.

But what do you think of my 3 step process?

What if you lost your dongle or it was stolen? All I have to do is plug it in to have access to your sites? With bluetooth, it's even easier...to steal your info.

About step 2: I don't like the idea of revealing other similar usernames. For security reasons, I'd reveal as little information as possible. Also, what if there aren't other similar names. Or worse, what if there were too many? Imagine hotmail: john10234@hotmail.com.

I like the timestamp and/or number idea. Simple, and nonobtrusive.

Maybe the dongle could have a fingerprint scanner on it for security reasons.

As for the similar usernames, I was thinking more of login to content sites, so that wouldn't be a big deal, IMO. It's just that some site have different policies on usernames and that would help.

How about a rotating/changing graphic (8 steps?) for a visual clue that you have another chance to enter, and you are in fact getting another chance at login?

The biometric USB dongle isn't too bad an idea. Still a pain to carry an item around with you, but seems like a good possible solution for the right people.
Who wants one? How much are you willing to pay?

Maybe you could build a username / password into the dongle, so you could only use it when you have the right dongle username / password / retina scan / mothers maiden name / fingerprint. Then, if you get it wrong, the dongle could send your password to your pager, but the pager might be locked, so you will have to send the password for that to your mail account, but you need the dongle to get into your mail account...

Surely the easiest way is to have multiple error messages? It would be limited but would seem to me to be the easiest and most consistent way of handling this.

First up you need to be able to identify which one they got wrong (the most likely one at least). Then you build up the error message after each fail.

1. "Sorry, we can't find that username" OR "Sorry that password doesn't match..."
2. "Sorry, we still can't find that.." OR "Sorry, that password doesn't match either"
3. "Sorry, no username found. Check your CAPS LOCK key" OR "Sorry, the password is still not correct"
4. Offer to email them the username or password.

I don't think you should really be going as far as 4 steps mind you, possibly delete step 3 by which time most people are getting a bit hacked off.

As for the count of attempts - as long as you included a note that the user can keep trying and won't be locked out then I see no harm in including a number. In fact that might be the easiest answer - add a count and assure the user that they can try this all day.

But will the user really keep count? When I'm trying to login I tend to focus on the task. The rest of the page is just like a big blur. I try, try until I'm in.

I think that increasing help messages are the way to go, just as Gordon and me said.

As for the dongle, I think that people would pay $25-$50 for it. Bu the carruing around is a pain. Maybe Firefox could build some sort of "Passport" technology in the browser itself. You create one login and you can unlock all your sites with it, anywhere you are. It would be great also that if you needed to create another login after that it would fill the form for you.

Really, user/pwd is becoming a hassle just as spam and hijacking/spyware. What happened to the safe, enjoyable web? *sigh*

Just a tip: you should never state whether that the username or password is correct. This can lead to a major security flaws in your application. Once you confirm that the username is correct you have basically informed hackers that they are half way there and that all the need to do is crack the password.

If you look at most major applications with login systems such as Amazon.com, MS Passport, and Windows you will see that they only tell you that the combination is incorrect and never notify you if you have a valid user name.

Good Example:
“You have entered an invalid username and password combination”

Bad Example:
“You password is incorrect.”

I really like that idea of displaying the user/pass combinations that have been tried on the error page. I would assume it is not that big of a security risk because it would only be visible that the user entering the combinations.

Showing past combos is bad, especially if you are going through all your passwords trying to find the right one. Making it all show up on the screen would be terrible.

I think Mac OS X does a decent job with the Keychain. It simply stores all the info for you, encrypted of course, and provides an easy interface to manage all that data. So long as you lock your computer when you're away from it you are good to go.

Now, of course, if you aren't logging in from your own computer, the multiple error messages, preferably with different titles and/or icons to better catch the user's eye, is probably the simplest way to do it without opening up your app to security issues.

How about using an xml-httprequest (perhaps 1 second after the last keyup event in the form input) to mimic the style of dialogue that appears when you register software? The user types in the correct combination and the submit icon is no longer greyed-out, and lets them click to sign in.

Wouldn't you know that the page has reloaded when the username and password inputs are blanked?

Don't forget that an evil web site owner could use all the passwords you entered for "hacking" your accounts (like your mail box, your website or any other identity connected to your name/email address/whatever you entered).

Well, the idea I presented above for the usb password thingie is now available:

http://napps.nwfusion.com/weblogs/cool/archives/006155.html