Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
ASK HN: What do you do to make your users feel safe on your site?
9 points by procyon on July 12, 2008 | hide | past | favorite | 19 comments
I have a closed beta service and we just released a prototype to get user feedback.On our site we allow users to use their gmail/hotmail/yahoo accounts to authenticate themselves. As far as implementation is concerned we take all the precaution to make this login safe. We use SSL, do not record any passwords or users etc.. in short we are legit. However, users still seem to be hesitant to provide their password and username to a small service like ours. Market penetration of OpenID and tools like ClickPass is so limited that those words on our site don't do any good either.

How can I make users trust my site?



As for contacts and the address book: + http://code.google.com/apis/contacts/

+ http://developer.yahoo.com/addressbook/

+ http://msdn.microsoft.com/en-us/library/bb463989.aspx

Stop using the password anti-pattern (http://adactio.com/journal/1357)

Facebook has a nice auth flow that http://www.billmonk.com uses. I'd suggest that.

Oh, and hire a visual designer. A strong visual design goes a lot farther than any copy or lock icons ever will.


I rarely give my password out in that way, and only ever if it's a well-known service. It's foolish to do; that implies that it's foolish to require.


Why not allow them to create an account without giving you that information? Then they can get into the app and see that it's legit.

Also, user testimonials might go a long way towards building some trust.


actually current implementation is nothing but a simple videomail service. We want to really streamline the process and take away all unnecessary steps. Asking users to create an account just to send a videomail seems to be unnecessary.


Google lets users log into other sites with their Google Account, there's an API for that. So just use the service that's already available; then the users don't have to trust you.

ClickPass bottles this all up into one convenient service, so why not use that?


Yes we tried that too. However, people just don't know ClickPass or even never heard about OpenID. It doesn't make them feel any safer


Only a fool would give away personal info like that.

Most social sites trick you into giving away that info when you sign up in order to spam everybody in your contact list.

I really don't know how Mint (financial) can get away with such sensitive banking information. Beats me.


yeah same here, I think it has to do with most people being completely gullible when it comes to the web. Which explains why you get hundreds of nigerian scam email per month


Put a little yellow lock icon somewhere on the screen. I used to know a sleezy internet marketer who swore that it makes people trust you.


Use OAuth. Redirect user's to google or yahoo's site.


We put a detailed explanation on our wiki in layman's terms about how we only store hashed versions of your passwords--so that even if our systems were compromised, your data would stay safe. If you stress transparency, then the users who care enough to go looking will find that reassurance.


But he's not storing hashed versions; he's taking their gmail password and using it to try to log in to gmail. Users should worry about this, because it's a bad idea.


http://www.thetruthaboutcars.com/the-psychology-of-cupholder...


There's nothing you could do that would make me give you my Google password.


Use SSL for every page.


Don't try to. Users shouldn't give out passwords like that to anyone.


You can't. And don't use market penetration of OpenID or ClickPass as an excuse. It's the old chicken and egg problem.

"People don't use it yet, so I won't implement it!" "People aren't using it because no-one is implementing it!"

And like hell I am giving the passwords to any of my mail accounts or anything, TO ANYONE.

Just implement OpenID and ClickPass and use APIs and such.


It's not an excuse. If it's not one of your business goals to make OpenID successful, there's no reason you should expend any effort to help the projects out. Nothing obligates you to pioneer new technologies. The pioneers sometimes get eaten by bears.


And then you shouldn't expect people to give you their usernames and passwords either.

Because that, frankly, is just fucking retarded.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: