EVO signup page throws security-minded users a roadblock

BCAA’s new EVO car share service certainly offers some unique points of difference in an increasingly crowded field, and as a BCAA user I was eager to give it a spin (hey, I get an hour of free driving time!). But I almost didn’t get moving at all, due to a UI flaw on their signup page.

As I filled out all the boxes, I noticed my choice of password was triggering the appearance of a red warning message just below that field, implying I’d neglected to meet several password requirements. The trouble was, my attempted password met all those criteria.

The dreaded and not-quite-informative error message

When the same thing happened in multiple browsers, I emailed them. After first being told to use one of the “supported” browsers —Chrome and… Internet Explorer! (not supported on Macs for years), I finally stumbled on the real reason for my troubles.

The problem turned out to be twofold. First, no punctuation was allowed in the EVO password (which limits its robustness). Second, the error message doesn’t tell you this.

So, while the error message was clear about what was required, it completely left out what was forbidden: any non-alphanumeric characters. In other words, punctuation. Which I’d used. ‘Cause more security.

Not revealing the reason for rejecting the password was a major user-communication fail, but it also means that users are forced to create less secure passwords than they otherwise might. This goes against best-practice, and increasingly seen, password guidelines, which more and more often request a punctuation mark as part of your password.

After creating a password that meets EVO’s requirements, I’ve signed up, and had a great experience in my first use of one of their roomy electric vehicles. I just wish that my online experience in signing up was as enjoyable. But it seems there’s still some bumps in the road.