first comment! yaaay!

Posted by: im first! at June 24, 2005 12:52 AM

Two words as to why there is not a common wallet:

Microsoft Passport

It still exists, but most retailers dropped it. If the most broken software company in the world is to be trusted with security of my "universal login", then I don't want it protecting potentially my retailler managed credit card numbers.

What's really broken is non-standard password requirements. Why do some companies (like a vendor that I use) insist on so complicated of passwords that expire to never be used again?

My example site above requires 8-16 characters, at least two alpha, 1 numeric, one uppercase and one symbol. Don't use the account for 90 days, you're locked out. Must change the password every 90 days. Can't reuse the last 10 passwords.

Posted by: Michael Jones at June 24, 2005 01:01 AM

There's no reason to use a different password on each site: you can just punch the same password into each one. You'd have to authenticate on each site anyways.

Personally, I enjoy not having a single point of failure. I like the idea that my online banking information is stored behind a more secure password than that used on a random message board.

I really love the fact that anyone who cracks one of my passwords doesn't get access to any other information. There are too many examples of 'trusted partners' losing data for me to trust a central authority.

Posted by: I prefer my privacy at June 24, 2005 02:06 AM

1 click ordering is not used everywhere because amazon pattented it. Remember when the sued Barnes and Noble. B&N had to insert an intermediate click to make 2 click ordering.

eCommerce is definetly improving and it continues to improve. I can tell you that my most successful customers are those that analyze their log files on a daily/weekly basis and constantly make improvements. It's all about increasing your conversion percentage. If someone could show that having a centralized password area would increase conversion rates from 1.5% to 3% every merchant would do it, since it would double their orders.

To some extent this is happening though with more and more integration with PayPal. PayPal is still used for only about 5-10% of all online orders on the stores we create, but customers who use it are able to use it off variety of sites.

Here are some tips for improving customer experience which translates into increasing sales.

Don't require registration. Let the customer fill out all of their ordering information and give them a check box to auto register.

Make password retrevial easy. Type in your email address and the password arrives.

Allow customers to save orders/items for later. This will increase sales over the longterm.

Customer ratings- I cannot tell you how much this feature is used/looked at by potential customers. It's critical for maximum success.

I personally use a site's look/functionality of a discriminator for whether I trust the store with my money or not.

For an example: I really want to spend about $1000 with x10.com but their site is really sleazy looking, and it keeps taking me back to the home page. The net result is that I told my wife we're going to skip putting in the cameras and stuff, because I just don't trust that they'll fulfill the order.

From what I can see, Amazon really does eCommerce right, I buy 95% of all items either from them, or from the customers who I've built sites for. The other 5% is Bestbuy, which I've had a consistantly horrible experience with on order fulfillment. I haven't ordered again from them in 9 months after spending $5500 with them the year before.

Posted by: Joshua Wood at June 24, 2005 06:42 AM

A temporary solution to the maze of passwords is to make use of something like Passwordsafe.

http://passwordsafe.sourceforge.net/

This is a program that was developed by Bruce Schneier and made open source.

As Michael pointed out, a common wallet was attempted, and has failed to gain acceptance from both retailers and consumers.

And the broken US patent system is to blame for the lack of one-click.

Posted by: Carlos Gomez at June 24, 2005 07:36 AM

I'm using "Keypass", it is easy to use. I have all my Favorites in there and it automatic types my pwd. For safety I'm using about 200-250 pwd's all created by "Keypass". Try to figure out an encrypted pwd like "ierNNGfvsv252CXVvsd7".

Posted by: mb at June 24, 2005 08:29 AM

Seth & Joshua:

Well, I definately don't agree on the password issue. I was ordering something from amazon recently, and my dad has the amazon account. Before ordering, it prompts you to type in your password. I realized that, if it didn't ask this, I could have gone ahead and ordered as much as I wanted with my dad's pre-programmed credit card. So could anyone else who had access to this computer.

It's either typing in your password, or typing in your whole credit card number and info. Take your pick.

But I do agree on the membership thing. Why must you become a member to make 1 order?

Posted by: no one at June 24, 2005 08:40 AM

Dear I want my privacy

Amen

Posted by: kent at June 24, 2005 08:55 AM

want=prefer sorry

Posted by: kent at June 24, 2005 08:57 AM

Well when getting tickets for a Pirate game, I had to make an account! But it was 15 minutes before the game started!!!!!

Posted by: someone at June 24, 2005 10:01 AM

What really annoys me are the sites insisting that I have to create an account to buy something in the first place. If I am going to be coming back frequently (eg Amazon) then it isn't a problem. When I am never coming back (eg a place that sells a cable for a particular model of car stereo) then there is no need.

Posted by: Roger Binns at June 24, 2005 11:45 AM

Ok, there are problems with online buying (most, if not all, of which your example Amazon.com has already solved.) But complaining about having a different password at every site is stupid... single sign-on has been attempted, and rejected, by customers time and time again because of privacy concerns.

Posted by: James Schend at June 24, 2005 12:00 PM

To answer your three questions in a concise format:

1) Why do I have to remember a password that's different wherever I go?

You don't; you can easily set the same password at every retailer you use if you want.

2) Why isn't there a centralized wallet?

It's been tried, and it's failed, many many times. Businesses hate it, customers hate it, credit card companies hate it.

3) Why doesn't one click appear everywhere?

Because Amazon.com patented it, in one of the most moronic patents the US Patent Office has ever let through, and since the patent was successfully defended in court nobody wants to violate it. God knows what Amazon.com charges to license it.

So your gripes are really against:

1) Yourself.

2) Everybody but you.

3) The US Patent Office.

Posted by: James Schend at June 24, 2005 12:04 PM

I'm really confused by Mr. Godin's offerings this week. He's done a great job at identifying systems in our world that could be greatly improved, but strangely his complaints seem completly unconstructive.

I think we could dramatically improve online shopping by making it more like offline shopping. Give away USB credit card readers, so that when you are ready to buy, you swipe your card. Products should automatically go to your card billing address (which what you want anyway 90% of the time) without you having to type in anything.

Do this, and you won't need passwords, e-wallets, or one-click shopping. You heard it here first.

Posted by: Robby Slaughter at June 24, 2005 01:31 PM

Robby,

Personally I think this would be a step backwards. I find online shopping in general to offer a much better experience than offline shopping. Most times that I order are from stores I've been at before so I don't even need to go downstairs and get my wallet. Finally, I ship all items to my work address, since I don't want packages sitting outside of my house when I'm not there.

Posted by: Joshua Wood at June 24, 2005 02:28 PM

I will give Seth credit for identifying broken/not broken items that spawn a whole lot of discussion. It seems that with each of his entries, everyone has an opinion.

Posted by: Joshua Wood at June 24, 2005 02:42 PM

>I prefer my privacy:

>There's no reason to use a different password on each site: you can just punch the same password into each one.

>James Schend:

>1) Why do I have to remember a password that's different wherever I go?

>You don't; you can easily set the same password at every retailer you use if you want.

IF ONLY! I wish this were the case. Unfortunately, it isn't.

I have four accounts, let's call them A, B, C and D. A requires at least one non-alphanumeric character in the password. B will not allow any non-alphanumeric characters in the password. C allows non-alphanumeric characters, but requires I change my password every 90 days. D does not allow symbols, and requires I change my password every 60 days and won't let me repeat any of my last 10 passwords.

A and B cannot ever be the same password (although I try to add a symbol to B's in a predictable place so I can use it for A and still remember it), nor can A and C unless I change A every time I change C. I could use the same password for B and D as long as I change them at the same time, too, but to keep them the same (and for that matter A and C the same) since I'm prompted to change one every 60 days RIGHT THEN or I can't log in it means I have to remember to change the other one on my own initiative or suddenly I have three passwords instead of two. A month later and I have four passwords instead of three. In the meantime because I can't use any of the last ten passwords and have to come up with a bizarre combination (a la Michael Jones' post) and hope I can actually remember it. Try as I might, it is actually more work to keep all the passwords remotely similar (remember, they CAN'T all be the same) than to simply have four different passwords.

This example was just for four accounts. In reality, between banks, work, b2b and b2c commerce sites, e-mail accounts, credit accounts, and all the other types of accounts out there, the average person has upwards of a dozen. All with different rules, all with different ideas of what constitutes or doesn't constitute a password. At work, the intranet enforces a rule that the user password to access the network, the e-mail password, and the password for access to the main application CANNOT be the same.

On my home computer I use Firefox with its "Software Security Device" that uses a master password to manage all my various logins and passwords. At work I use a password protected file to organize them. I would love to use dedicated software, but my employer won't allow me to install software on their computers.

When I'm not at home or at work, I'm at the mercy of my ability to remember upwards of a dozen passwords and which one I'm using at which site. Oh, and don't get it wrong more than three times or I'm locked out of my own damn account until I call customer service or the IT department.

So, yeah, I WISH I could use the same password at each one, and I'm so glad for you that you apparently can. I can't. I suspect that quite a few folks out there can't either.

Posted by: Erich at June 24, 2005 02:43 PM

>My example site above requires 8-16 >characters, at least two alpha, 1 numeric, >one uppercase and one symbol. Don't use the >account for 90 days, you're locked out. Must >change the password every 90 days. Can't >reuse the last 10 passwords.

Geez, Mr. Jones! Talk about Security Freaks!

That is terrible. Who would want to use a site like that? WhaT are they keeping on that site, anyway? Missle controls?

my password therefore would be A1$teaksauce.

But only for 90 days, and never again for the next 3 year.

Posted by: Bob at June 24, 2005 05:58 PM

lowercase 't', excuse me.

Posted by: Bob at June 24, 2005 05:59 PM

>)Erich, I have four accounts, let's call them A, B, C and D. A requires at least one non-alphanumeric character in the password. B will not allow any non-alphanumeric characters in the password. C allows non-alphanumeric characters, but requires I change my password every 90 days. D does not allow symbols, and requires I change my password every 60 days and won't let me repeat any of my last 10 passwords.

Is this your actual situation are was this posted as a worst-case scenerio? Just wondering because I use one alpha-numeric password at all sites.

It appears that these companies are going overboard with these password requirements. If a hacker got into the site an obtained the information wouldn't the oassword be in jeopardy regardless of what it was? The solution would be for the site to have a security encryption. Having a customer to remember so many different passwords so that they must be written down or put into a file on the computer is truly broken.

Posted by: Kent at June 25, 2005 06:42 AM

>Kent:

>Is this your actual situation are was this posted as a worst-case scenerio?

Unfortunately, it's my actual situation. To illustrate, here are the actual password criteria copied and pasted from the online access websites for just 5 companies (and work):

Insurance: Minimum 8 chars with a number & a lower case letter. (This is a 'three attempts before you're locked out' account)

Credit card: Your password must be 5–10 characters and can be any combination of letters and numbers (no "special" characters or spaces) (This is a 'four attempts before you're locked out' account)

Mortgage Co: Password MUST contain:

* 6 to 10 characters

* May not be all numbers

* No spaces or unusual characters like: /,},{,~,etc.

* May not be the same as the User Name

Bank 1: Passwords must be 8-16 characters and cannot be same as username (This is the 90 day password account, and I generally flip-flop between two passwords because I can. This is also a 'three attempts before you're locked out' account.)

Bank 2: Your passcode must contain both upper and lower case characters, at least one number, and cannot be less than 8 characters in length. Do not use dashes, underscores, or special symbols such as &, $, #, or @. (This is the 60 day password account that enforces the last-10 passwords rule, and a 'three attempts before you're locked out' account.)

Work: See graphic at http://insider.ucsd.edu/FAQ/images/WinChangePasswordError.jpg

This one also must be changed every 90 days. Of course, that's a different 90 days than the bank password runs on. Keep in mind that my main work app and e-mail, for what reason SysAdmin only knows, are required to use different passwords (albeit with the same rules).

>Having a customer to remember so many different passwords so that they must be written down or put into a file on the computer is truly broken.

Could not agree with you more. I'm convinced that this comes as a result of the "SysAdmin == God" mentality, but of course my SysAdmin friends disagree....

Posted by: Erich at June 25, 2005 02:28 PM

> Erich I feel your pain

Posted by: Kent at June 25, 2005 09:55 PM

Robby Slaughter:

How would YOU like to come up with 5 TIB entries in a row????

Posted by: no one at June 26, 2005 01:06 PM

While the online retail experience isn't so great, neither is the bricks'n'mortar retail experience. Depending on the store, I either have to wait around for someone to man the cash register, who then tries to sell me their store's credit card, or I have to wait in line behind someone who needs three price checks and someone else who takes five minutes to make out a check, or I have to deal with a clerk who doesn't know where anything in the store is.

The online experience has issues, but so does the off-line one.

Posted by: Anthony at June 27, 2005 01:04 PM