I recently switched my home Internet service from Covad DSL to Comcast Teleworker¹.  Almost everything has gone swimmingly so far: signing up online was painless, the tech came out within the assigned window and he was very nice and professional, and my new service is So Much Faster.

After the tech had everything hooked up, I went online to create my account so that I could view my bill and have yet another email address.  They wanted me to create a password of 8-16 characters in length, and that includes 1 upper-case letter, 1 lower-case letter, and one number or special-character.  This is fine by me, since all of my passwords meet these requirements².  So I fired up 1Password, set it to generate a password that meets these requirements, and put it into the form.  After doing so, I saw this:

I filled out the rest of the page, and I got the following error message:

The password you entered doesn’t meet the minimum criteria for a safe password. Use between 8 and 16 characters with at least 1 lower-case letter, 1 upper-case letter, and 1 number or special character (no spaces, case sensitive).

So I checked my generated password.  In fact, I’ll share it with you, since I couldn’t use it: r9H4ybnAyf+Acw.  It’s the right length (14 characters), it’s of mixed case, it’s got a number, and it’s got a special character too.  As a geek, I know that the + in there could cause a problem, so I generated another password.  This one had a } in it, which also caused a problem.  I went through three more automatically-generated passwords until I finally got one that was acceptable.

There are two user experience issues here:

1. They have a limited subset of special characters, but they don’t tell you what that subset is.
2. When you enter your password, the form is validating whether the password is a good one.  However, their validation isn’t correct, since the page says that a password is good, but then the system kicks back an error on submission.  Don’t tell me that my password is good when you won’t accept it!

Strangely, the former point is actually addressed when creating additional accounts.  The page for creating a secondary account is different than the one used for the primary account, and the password field there includes this descriptive text:

8-16 characters. At least one upper case letter, at least one lower case letter, and at least one number or special character (! @ # $ % ^ & *) are required. No spaces. Case-sensitive.

This would have saved me a few erroneous form submissions if they had told me this when I was creating my account!  The basic information is still the same, but they specify which special characters are acceptable.

Many companies forget about the first user experience.  I make fun of unboxing videos, but getting your new item out of the packaging is part of the user experience.  Your first few minutes are where your first impression gets created, and that first impression is an important one.  It sets your expectations.  By not paying attention to the details of your first user experience, you can inadvertently set expectations that you don’t want set.  On one hand, I’m happy that Comcast is enforcing passwords that are more secure than usual.  On the other hand, I’m not happy that they don’t give me all of the information that I need.  It means that I don’t entirely trust them now.