[Sigia-l] time-out session lengths, security, and user tasks

Christy Mylks christy at cognetics.com
Mon Nov 11 20:01:49 EST 2002 


At 06:23 PM 11/11/2002, Peter wrote:-------------------------------
...
In my ideal world, there would be no session timeouts. Can you ask the
security folks to give a good reason for a session timeout? And, if so, can
you then ask them to point to why 20 or 30 minutes?

Overbearing security practices are a HUGE detriment to quality user
experiences. (8-character passwords that require a seemingly random
collection of letters, numbers, and punctuation, anyone?) And are rarely
justified. Lazy engineers, who seem to accept these practices, foist them
upon the rest of us, forcing us to develop workarounds (writing down
passwords, having password files on our machines) that end up making our
systems LESS secure. (But that's another issue).
--------------------------

They're probably not so much lazy as busy, and what I suspect is this: 20 
minutes might be a sort of technical urban legend. What I'm wondering is, 
is this default based on a "this seems right" thinking or a "statistically, 
break-ins increase significantly at the 21-minute mark" finding (kind of 
like insurance actuarial tables).

-------------------------
If nothing else, if you have to have a session timeout, you should save the
user's information, so that they can log in and recover everything.
----------------------------------

Yes! We did this for one client. At least the users' hearts don't swell 
with hatred because their work has been lost.... and in most cases, both 
the website and its users can see a benefit to the security. Here, saves 
won't help much because for most uses, it's not even a transactional site. 
It's more of a resource site, with a single transactional section (which 
currently has its own password-- single sign-on will be implemented in a 
year, though).

As an anecdote, I dropped my online bill-paying with the usps.com and 
changed to my bank's online bill-paying because of the time-out issue. My 
work process was: gather all my bills, and start entering the amounts in 
payment boxes for the list of payees. As I entered payments for each bill, 
I often needed to make a quick call to double-check my current credit card 
balance or to question a cable or cell-phone charge. I do all my bills at 
once--except that the site would time out after I had done about 3/4 of the 
work (and could no longer remember all the adjustments made)--and without 
warning. Die, site, die! They simply had not done the user analysis to 
understand users with my style of work, or else they decided they didn't 
care. Result? Don't use them anymore.

At least Bank of America lets me tell them I'm not done yet... but it also 
seems to time out less often.  :/ hmmm
-christy

Christy Mylks, Usability Analysis and Design
Cognetics Corporation
http://www.cognetics.com
christy at cognetics.com
301-587-7549

More information about the Sigia-l mailing list