Privacy vs. Usability

UI 12 July 2011 | 4 Comments

Luke Wroblewski recently wrote about the new sign-in screen for Backcheck. In this latest rev, a user needs only to type in their name and a ajax search reply returns a listing of users matching what you’ve typed.

In addition, once you’ve selected your name, you can see whether you can log in via Facebook, Twitter, or default Bagcheck credentials.

Although I recognize the usability of this method, I also pause in trepidation. Users concerned with privacy may grow wary. All I have to do is type in a name, and I have a listing of potential users I can hack. I just have to click on names and try some commonly used passwords and I may have easily logged into another user’s account. Who knows what ill acts malicious users may have planned.

I like the added piece of security of needing to type in my username. This way people can’t browse my name wondering if I have an account there, and discover that I’m using Twitter as my login key. Please don’t simplify it for hackers to “stumble upon” my username, thus making it easy to try a password to break in to my account.

Update:
I’d like to acknowledge that Bagcheck is not a web application storing critical personal information, and those Bagcheck login credentials are not as “important”, per se, as Amazon or eBay or others of that ilk. Luke Wroblewski made reference to this fact in his comments on the aforelinked post, and Sam in the comments noted that most online applications share your publicly displayed username with your login name.

I do give reason for pause in seeing my real, full name in print without authorization, for other users to peruse. I feel a sense of security signing in with an email address or a username, along with my secure password.

I will echo a question that I proposed on twitter: Am I too paranoid for worrying about this?

Share and Enjoy:
  • del.icio.us
  • Digg
  • Twitter
  • Google Bookmarks
  • StumbleUpon
  • Facebook
  • email
  • Print

4 Responses on “Privacy vs. Usability”

  1. Sam Pullara says:

    Thanks for the critque. This change makes Bagcheck slightly less secure as before you needed to either know the persons email address or hack one of their connected accounts. However, many sites like Twitter already use your public username as your login ID, it really is no more insecure than them. Strong passwords are the only real defense.

    We’ll continue to press on this though and see if there are ways to make it just as secure as before and also easy to use.

  2. Jennifer says:

    Thank you for your feedback, Sam. That is a good point that the Twitter uses my login username as my public facing persona. I think my fear comes from the fact that a hacker would have to physically enter my username (have acquired it previously), or run a script with a series of acquired usernames. This new method takes away that extra step of work – or it may even provide a means of providing usernames to malicious users. Additionally, when I see my real, full name being used without my authorization, I tend to pause in concern.

    I understand with an application like Bagcheck the information is clearly not as privacy critical. If it were a higher security web app I’m sure you would never have considered this free of a route.

    Thanks for your reply and explanation!

  3. Tony White says:

    It does feel weird having them suggest usernames to you. The speed and convenience this provides could have been accomplished with tried and true ‘remember me’ checkbox.

  4. stenehall says:

    It’s not only a security problem but also a privacy problem. Even if you in can find a users name on twitter you’d have to actually go to each users twitter page to get their names. The way http://bagcheck.com/ does it it becomes extremely easy to find if a person have an account or not.
    Since I don’t have a backcheck.com account I don’t know if you can turn this off. But from what I can see you can’t actually have a backcheck account without publicly showing it, with your name.

Leave a Reply