Error messages should be helpful. Bad error messages disrespect the user by saying, “something is wrong but I’m not going to tell you”. I’ve made that point before.
Today I was treated to a paragraph-long error message explaining password complexity rules. The password that failed was this:
Look at this password with me. It’s plenty long (22 char). It has numbers, uppercase characters, lowercase characters, and non-alphanumeric characters. It’s a good random password. It was, in fact, randomly generated by Keith Browns’s PasswordMinder.
I dissected the paragraph of error message to find buried in the middle this rule: must not have been changed within the last 1 day. Oh. The problem was not complexity but that my password had been reset yesterday. Here I was trying to be responsible by immediately changing my password after having it reset…
What really irks me is that the error condition is known specifically but the error message is generic. If the regular expression for password validation fails, tell me that the password is not complex enough. If I used the same password in the past, tell me that. If I cannot change my password today because it was changed yesterday, tell me THAT.
When the specific error condition is known, tell the user exactly what is wrong and whether or not it is his/her fault. That way he/she can act appropriately without resorting to detective work.