Why I Hate Registration (And You Should Too)
Every time a website wants me to register a new account, I reflexively tense up and feel my blood pressure rising. Sure, it’s inconvenient, but that’s not why I do it. I do it because using your own registration system as the only option is abysmal security. Here’s why.
The first problem I have is that now I have a new login to manage. Good security dictates that you should use unique and complex passwords for each account you have, and preferably variable usernames. This sounds like a great idea, but when you have to register for several dozen different sites, that quickly becomes impractical. While you could use a password manager like KeePass or LastPass, this often chains down your passwords to a single PC or a thumbdrive, neither of which is convenient. The reality is that you’ll have a few passwords that you’ll rotate out periodically.
The second problem is that you now have to trust the site you’re registering on with managing proper security. Preventing intrusions is a tough sell even for major sites, much less smaller ones. If the site you just registered on gets compromised, your login details could be exposed and if you’ve used them on another site, those get compromised as well. Hashed passwords are no protection either; using a relatively cheap video card, even complex passwords can be cracked in a matter of minutes. Your last hope is that the website operator was smart enough to salt their hashes before storing them, and that the salt wasn’t compromised either.
The final problem I have is that it is very, very easy to integrate third-party registration and authentication solutions into your website. Twitter, Facebook, and Google all make it very easy to use OAuth, a solution that does not require that you store user credentials and provides most of the information you need for registration processes. Heck, even Yahoo and LinkedIn use OAuth if you’re so inclined. Between all of those providers, the odds are good that almost all of your users will have and be willing to use at least one of them to sign up. Sure, keep an in-house registration system as a fallback, but do not make it your primary account system. The ease of using a third-party system means there is no excuse for not doing so.
All of this is in addition to the obvious convenience factor of using an existing account. Please, for the love, allow people to use their existing accounts. Users will thank you later.