

ASK HN: What do you do to make your users feel safe on your site? - procyon

I have a closed beta service and we just released a prototype to get user feedback.On our site we allow users to use their gmail/hotmail/yahoo accounts to authenticate themselves. As far as implementation is concerned we take all the precaution to make this login safe. We use SSL, do not record any passwords or users etc.. in short we are legit. However, users still seem to be hesitant to provide their password and username to a small service like ours. Market penetration of OpenID and tools like ClickPass is so limited that those words on our site don't do any good either.<p>How can I make users trust my site?
======
paulirish
As for contacts and the address book: \+
<http://code.google.com/apis/contacts/>

\+ <http://developer.yahoo.com/addressbook/>

\+ <http://msdn.microsoft.com/en-us/library/bb463989.aspx>

Stop using the password anti-pattern (<http://adactio.com/journal/1357>)

Facebook has a nice auth flow that <http://www.billmonk.com> uses. I'd suggest
that.

Oh, and hire a visual designer. A strong visual design goes a lot farther than
any copy or lock icons ever will.

------
benjamincanfly
I rarely give my password out in that way, and only ever if it's a well-known
service. It's foolish to do; that implies that it's foolish to require.

------
bjclark
Why not allow them to create an account without giving you that information?
Then they can get into the app and see that it's legit.

Also, user testimonials might go a long way towards building some trust.

~~~
procyon
actually current implementation is nothing but a simple videomail service. We
want to really streamline the process and take away all unnecessary steps.
Asking users to create an account just to send a videomail seems to be
unnecessary.

------
jrockway
Google lets users log into other sites with their Google Account, there's an
API for that. So just use the service that's already available; then the users
don't have to trust you.

ClickPass bottles this all up into one convenient service, so why not use
that?

~~~
procyon
Yes we tried that too. However, people just don't know ClickPass or even never
heard about OpenID. It doesn't make them feel any safer

------
Kilimanjaro
Only a fool would give away personal info like that.

Most social sites trick you into giving away that info when you sign up in
order to spam everybody in your contact list.

I really don't know how Mint (financial) can get away with such sensitive
banking information. Beats me.

~~~
vaksel
yeah same here, I think it has to do with most people being completely
gullible when it comes to the web. Which explains why you get hundreds of
nigerian scam email per month

------
Prrometheus
Put a little yellow lock icon somewhere on the screen. I used to know a sleezy
internet marketer who swore that it makes people trust you.

------
bigbang
Use OAuth. Redirect user's to google or yahoo's site.

------
kilowatt
We put a detailed explanation on our wiki in layman's terms about how we only
store hashed versions of your passwords--so that even if our systems were
compromised, your data would stay safe. If you stress transparency, then the
users who care enough to go looking will find that reassurance.

~~~
jrockway
But he's not storing hashed versions; he's taking their gmail password and
using it to try to log in to gmail. Users _should_ worry about this, because
it's a bad idea.

------
wallflower
[http://www.thetruthaboutcars.com/the-psychology-of-
cupholder...](http://www.thetruthaboutcars.com/the-psychology-of-cupholders/)

------
tptacek
There's nothing you could do that would make me give you my Google password.

------
rw
Use SSL for every page.

------
xlnt
Don't try to. Users shouldn't give out passwords like that to anyone.

------
ajkirwin
You can't. And don't use market penetration of OpenID or ClickPass as an
excuse. It's the old chicken and egg problem.

"People don't use it yet, so I won't implement it!" "People aren't using it
because no-one is implementing it!"

And like hell I am giving the passwords to any of my mail accounts or
anything, TO ANYONE.

Just implement OpenID and ClickPass and use APIs and such.

~~~
tptacek
It's not an excuse. If it's not one of your business goals to make OpenID
successful, there's no reason you should expend any effort to help the
projects out. Nothing obligates you to pioneer new technologies. The pioneers
sometimes get eaten by bears.

~~~
ajkirwin
And then you shouldn't expect people to give you their usernames and passwords
either.

Because that, frankly, is just fucking retarded.

