Skip to content


Who to Blame for Password Management Problems

Da_Da_Da_coverHave you had your passwords stolen recently (or in 2012)?

Have you tried password managers only to discover they don’t work reliably on all sites, leaving you with a mish-mash of secure and brain-dead-guessable passwords?

I feel your pain, because I spent all of yesterday going through my 201 online accounts stored in LastPass. I had reasonably secure passwords on all of the sites I care about, but not-so-secure passwords on most of the other sites (but no, not as bad as the one referencing that commercial, he writes ironically on a Sunday Afternoon). By early evening, it had gotten tedious enough I used a few glasses of Zin at my favorite happy hour to make it seem less dreadful.

Though even after 9+ hours toiling at this, I’m still not done (but I’m as good once as I ever was).

Why is this so hard?

Because few of the web developers coding the simple login and password change pages have Read The Fine Manual on HTML, and sometimes odd ideas about what order events should take place in.

For example, by the time I was five hours into the process, I was nonplussed to find a site that very easily let me change the password with LP’s auto-generate-fill-and-store password feature, only to be surprised by it asking for the old password after LastPass had already stored the new one to its database, thus happily auto-filling the new password in the old password field, screwing up the confirmation in an evil catch-22 loop.

Most of the other problems were confined to bad HTML element tagging resulting in LastPass filling passwords in username fields, many sites not supporting auto-fill, not supporting LastPass’ automatic password change, and so-on.

None of these problems should exist, because avoiding them simply takes a little bit of thought about the right order of fields, and carefully following the HTML specification.

Password Manager Guidelines

With only a moderate amount of Googling, I found that LastPass and 1Password have the best technical guidance :

Yet neither of these sites are complete, or completely accurate, especially when it comes to HTML5 definition for the form input element. And I could not find any similar guidance from the developers of DashLane, KeePass, or any of the other password manager developers.

That’s why I wrote this post!

Technical Guidelines

Here are the guidelines for correctly coding login and password reset forms.

Do

  • Always create the form on page load
  • Ensure your HTML validates
  • Use the HTML <label> element to label every <input> element
  • Use the minlength and maxlength attributes on every <input> element
  • Use the pattern attribute to specify an ECMA-262 Regular Expression for all password creation fields

Do Not Use

  • AJAX
  • GET method
  • Flash
  • Silverlight
  • iFrames

Login HTML Sample

1
2
3
4
5
<form action="https://example.com/blah" method="post" name="Login">
 <p><label for="username">Username: </label><input type="text" name="username" id="username" value="" autofocus="autofocus" required="required" inputmode="email" /></p>
 <p><label for="password">Password: </label><input type="password" name="password" id="password" value="" required="required" inputmode="verbatim" /></p>
 <input type="submit" value="Log In"/>
</form>

In the above sample, note in particular, the following:

  • The <label> element is placed in front of the <input> element—this is the HTML 5 method—instead of surrounding it—the old HTML 4 method. The exact same for= attribute and value is then used in both elements together.
  • The autofocus=”autofocus” attribute in line 2 sets the focus to the username field.
  • The required=”required” attribute in lines 2 and 3 makes both fields required to submit the form.
  • The inputmode=”email” in line 3 tells the browser on devices with dynamic keyboards to display one capable of inputting a valid e-mail address. For some devices, particularly smartphones with narrow screen keyboards, there are slightly different keyboards for general writing and for entering web and e-mail addresses (the latter usually have the @ symbol available without shifting.
  • The inputmode=”verbatim” in line 3  tells the browser on devices with dynamic keyboards to display one capable of inputting a typical password. You could set this to “numeric” if you’re only requesting a PIN.

Password Change HTML Sample

1
2
3
4
5
6
<form action="https://example.com/blah" method="post" name="PasswordReset">
 <p><label for="oldpassword">Enter Old Password: </label><input type="password" name="oldpassword" id="oldpassword" value="" inputmode="verbatim" required="required" autofocus="autofocus" /></p>
 <p><label for="newpassword">Enter New Password: </label><input type="password" name="newpassword" id="newpassword" value="" inputmode="verbatim" required="required" minlength=8 maxlength=20 pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z]) (?=.*[/[-!$%^&*()_+|~=`{}[]:/;<>?,.@#]/]).{8,}" /></p>
 <p><label for="newpasswordcheck">Repeat New Password: </label><input type="password" name="newpasswordcheck" id="newpasswordcheck" inputmode="verbatim" value="" required="required" minlength=8 maxlength=20 pattern="(?=.*\d)(?=.*[a-z])(?=.*[A-Z]) (?=.*[/[-!$%^&*()_+|~=`{}[]:/;<>?,.@#]/]).{8,20}" /></p>
 <input type="submit" value="Change Password"/>
</form>

In the above sample, note in particular, the following:

  • Lines 3 and 4 both request the new password, so use RegEx checking to ensure the new password conforms to the security rules. Edit this expression to suit your site’s rules. Note that Line 2 does not include the RegEx, because it would prevent people who have an old password that doesn’t conform with your current RegEx rules from chaing their password.
  • Lines 3 and for both have the minlength and maxlength attributes, which some browsers will use to indicate when an entered password is withn the allowed length range. As in the previous note, this restriction is absent in the old password field, for the same reason.

Call to Action

  1. Test all of your organization’s login and password change pages with LastPass, DashLane, 1Password, and KeePass.
  2. For any site you use that doesn’t work with the password manager you use, contact their customer support department.
  3. If you use LastPass, run the Security Challenge every 3 months. If you don’t use LastPass, ask your password manager developer to add a similar feature.
  4. Ask every site you log into to support FIDO U2F two-factor authentication.

LastPass Auto Change Password

Contact these major site developers and ask them to work with LastPass to add support for their Auto Change Password feature:

  • WordPress.com
  • WordPress.org
  • InformationWeek.com (and the rest of the TechWeb.com sites)
  • Zoho.com
  • Evernote.com
  • UberConference.com
  • Zendesk.com
  • Unisys.com
  • ATT.com
  • Force.com
  • Instagram.com
  • Dreamhost.com
  • Hostgator.com
  • MicrosoftOnline.com
  • Live.com
  • Oracle.com
  • Sony.tv
  • StubHub.com
  • GoodReads.com
  • Huddle.net
  • OpenStreetMap.org
  • Starbucks.com
  • Apple.com
  • iCloud.com
  • Instagram.com
  • Bitly.com
  • EventBrite.com
  • SurveyMonkey.com
  • Quora.com
  • Meetup.com
  • Ifttt.com
  • Asana.com

Posted in Design.


GMT Hasn’t been International Time Since 1971—Stop Using It!

Universal Time Windows LiveI just updated my Windows Live profile, and was horrified to discover that Microsoft has reverted to using Greenwich Mean Time (GMT) instead of Coordinated Universal Time (UTC), in at least one location.

Ever since January 1, 1972, the official worldwide time reference has been UTC.

Since then, GMT has been defined as only the mean solar time at the Royal Observatory in Greenwich, London. It is not tied to international atomic time. The simplest explanation of the differences among the various time definitions is the United States NIST Time and Frequency Division’s FAQ.

The biggest problem is that since 1972, GMT has been not an international time zone, but the name of the winter time zone in the UK. In the summer (daylight saving time) months, the UK time zone is BST, for British Summer Time. Depending on the programmer’s interpretation of whether GMT is a time zone or just another name for UTC, calculations made involving GMT may be shifted by an hour (or not) in a way that makes the resulting time calculation incorrect by one whole hour.

This is bad, and the only way to avoid the confusion is to never use GMT for any time after January 1, 1972.

The GMT Era

GMT was the official worldwide time reference from October 22, 1884 to December 31, 1971. Any reference to international time within those dates must therefore use the label “GMT”, while any references to international time after January 1, 1972 must therefore use “UTC”.

GMT is coequally used as the international time reference by the BBC, and as a time zone in a handful of countries (but be careful trusting TimeAndDate.com, as it does not cite any references).

The UTC Era

Ever since January 1, 1972, UTC has been the official worldwide time standard, and has always been the time standard of the Internet. UTC is defined by the International Telecommunication Union, an agency of the United Nations, in  ITU-R Recommendation TF.460-4.

Universal Time=Solar Time

Universal Time (UT) was defined in 1928, as the replacement for GMT’s use as solar time, and its modern incarnation is UT1. So if Microsoft is intending to allow you to set your time zone to the solar-based Universal Time, the label in the listbox above should be “Universal Time (UT1)”, but this would be the official time for only witches, warlocks, and vampires.

The Microsoft Problem

Since all Microsoft operating systems were developed after 1972, they all should have started off using UTC instead of GMT—but they didn’t. DOS started using GMT, and Windows kept with it through Windows XP, and it wasn’t until Windows 7 that Microsoft switched to UTC.

The reason was simple—the time calculations used by DOS and Windows up until Windows 7 did not conform to UTC rules, so labeling Windows XP’s international time as UTC would have been inaccurate. Because UTC’s primary purpose is well-defined accuracy, this would have been inappropriate.

However, Even Windows 7 is not perfect. See the thread Does Windows 7 Support UTC as BIOS time? for commentary on some of the remaining problems.

Yet some inside Microsoft are aware there is a difference between GMT and UTC. The .NET programming system has calls for both, as highlighted in the stackovervlow thread, Difference between UTC and GMT Standard Time in .NET. And the TechNet article Timezone even says “Greenwich Mean Time (GMT) is now known as Coordinated Universal Time (UTC).”

Despite this long-ago switch to UTC, Microsoft continues to use GMT in many different locations, but not all. For instance, the article Microsoft Time Zone Index Values references GMT, while a newer version, Time Zone IDs, references UTC. Interestingly, you will find in the second article, that there are four separate time zones that use or reference UTC:

1200 GMT Standard Time (UTC) Dublin, Edinburgh, Lisbon, London
1210 Greenwich Standard Time (UTC) Monrovia, Reykjavik
1220 Morocco Standard Time (UTC) Casablanca
1230 UTC (UTC) Coordinated Universal Time

Each of these will likely be identical during winter months, but only ID 1230, “UTC”, will result in the true UTC time all year, every year, regardless of what the UK, Monrovia, Iceland, and Casablanca governments do to the definition of when standard and daylight saving times start and end.

The BIOS Problem

The biggest problem resulting from DOS and Windows not handling UTC properly is caused by the early convention of the PC BIOS being set to local time.  The best, and most detailed explanation of the problem is by Markus Kuhn, IBM PC Clock should run in UT, although Kuhn mixes up UTC and UT, referencing both, thus confusing the reader which of the two the BIOS should be set to.

This causes big problems if you need to dual-boot Windows and Linux, or Windows and macOS on the same computer, because Windows needs the BIOS set to local time, while Linux and macOS need the BIOS set to UTC time.

Call To Action

  1. Just Read The Instructions, and stop using GMT everywhere you’re using it now!
  2. Ask Microsoft to fix any and all remaining problems with handling a BIOS set to UTC with Windows 7 and higher.
  3. Ask Microsoft to replace its proprietary timezone names with the official Internet TZ Database, managed by ICANN.

Unless you’re a historian or a computer programmer that needs to calculate dates prior to 1972; or you’re referring to the winter time in the United Kingdom, you should not be using GMT for anything. (You will find this rule adhered to in most Wikipedia entries, for example.)

Posted in Uncategorized.


Keeping Idiots Busy

DOGMA: WANNA KNOW HOW TO KEEP AN IDIOT BUSY T-Shirt

DOGMA: WANNA KNOW HOW TO KEEP AN IDIOT BUSY T-Shirt

Great advertising copy is rare, so I like to give credit when I see something that gets me to stop and think or ask questions.

I saw a gentleman crossing the street, wearing this one this morning, and it was good enough that I stopped him to ask the obvious question—where did you get that marvelous apparel?

Click on the picture if you’d like to walk around with this idiot detector on your back (and no, I’m not making any commission on this).

Posted in Uncategorized.


Normalization of Deviance Considered Harmful

While reading Bruce Schneier’s CRYPTO-GRAM, I read a section about normalization of deviance, which referenced a horrible example of how much death and destruction can happen when people who think they’re too smart to follow rules and procedures designed by domain experts are allowed to continue being in charge.

In 2014, a Gulfstream IV crashed while attempting to take off from the  7,000 foot runway (with another 1,000 feet of overrun) at Laurence G. Hanscom Field (BED), Bedford, Massachusetts, killing all 7 people aboard, because the two pilots were dangerous idiots.

The pilot in command had 11,250 hours in his flight log, while the second in command had over 18,000 hours in his log, and both thought this meant they didn’t actually have to do a walk-around or do even one thing on the pre-flight checklist (which has five mandatory checks). The only pre-flight work they did inside the FBO before taking off was to order a pizza, take it into the plane, eat it, and then take the empty box back into the FBO. Then they:

  1. Forgot to disengage the gust lock, which meant none of the flight controls could move.
  2. Strong-armed the throttles past the gust lock, probably breaking part of it, and were thus unable to advance the levers to takeoff power (but they started rolling anyway).
  3. When they first noticed a problem, they had 5,000 feet of runway left—plenty of space to safely abort.
  4. Then they disengaged the flight control’s hydraulic system.
  5. When they had only 1,500 feet of runway left, they tried to deploy the spoilers, which would have significantly improved breaking, but alas, the hydraulics needed to push them up into the airstream were still off.
  6. So the plane crashed through the runway lights, slammed into a ditch, broke in two, and burst into a fire that was not survivable.

All the follow-up interviews with other pilots that had worked with the pair confirmed that this failure to do the checklist wasn’t a one-time or occasional goof—they never performed a pre-flight checklist. The above article states that “Gulfstream pilot and Code7700 author James Albright calls the crash involuntary manslaughter.” Albright says “These pilots were experts at deceiving others…”.

This is a humongous problem (not just in aviation—everywhere), in our society, and we continue to ignore it at our peril. It doesn’t matter how long someone has been in a position they’re dangerously incompetent at (even if they have passed all of the existing qualification tests), they need to be fired and replaced with someone who isn’t afraid of good rules and learning.

Yet this is a very difficult thing to figure out, because among all of the good, sane rules that people should follow, there are littered bad, evil rules that competent people know they must break in order to do good things. How you determine the difference between the good and bad rule breakers is a topic for another day, but the first step in getting there is to immerse yourself in as many worst-case scenarios such as this one.

The reason for the immersion is simple—you need to be able to spot such frauds from their behavior and the language they use, and their attitudes.

Posted in Leadership.


Apple Store’s Doors’ Ignores

Be warned, he who designs glass houses.Billy_Joel_-_Glass_Houses

I happened to be in San Francisco the day Apple opened its new Union Square store, and braved the crowds to see what all the fuss was about.

I had also stopped by the day before, to watch the last bits of construction, and the last full-scale test of opening the doors. Once the doors were open most of the way, the wind picked up and guy supervising the process looked down at the ground, shaking his head (a bunch of leaves had just blown into the pristine lobby).

The rear 24-foot doors facing the infamous fountain were never opened, so as to avoid creating a wind tunnel…

Opening day came, the building was full, the line wrapped around a full 50% of the block, and then the telltale truck-backup-beep signaled the only true way to open that building—and stopped 6 inches later, where they remained stuck until the building geeks debugged the problem.

Here’s what happened

Apple was not content with just having friggin’ 42-foot tall glass doors; that wouldn’t be unique enough. These had to be high-tech. Yours truly might have suggested infrared laser beams with holographic or scanning fixtures as the safety measure, with a safe, well-tested hard-wired open/stop/close control panel.

Apple didn’t do that. They made the whole thing wireless, and embedded Wi-Fi antennas in the door panels. They tested the doors repeatedly before opening, and found no problems. The fail-safe program embedded in the doors controllers was armed, lying low so long as it confirmed the Wi-Fi connection every 500 milliseconds.

But opening day weather was gorgeous, and Union Square was full, even without the added crush around the block. Every single one of them with a smart phone (or two) looking for a signal, sprinkling packet upon packet on every one of the unlicensed, unregulated channels.

The doors never had a chance with that noise floor.

But out came the industrial wireless controller, and the doors started moving again.

But they should have been showing The Wizard of Oz on the big screen up on the second floor, because just down the hall was one of the door techs behind the curtain, with one thumb on the hard-wired maintenance control panel, and the other on his cell phone.

Posted in Design.


Maniacaly Perfect Phantom

I love music.

But there are three things that consistently spoil what should be an immersive experience:

  1. Distortion
  2. Minuscule sweet spots
  3. Volume controls that don’t go to 11

Number 1 is all about quality; number 2 is about the freedom to move; and number 3 is all about the bass (read: the emotional driver).

Number 3 is usually limited by the need to avoid number 1, while number 2 forces you to choose between headphones and a carefully placed chair. I had once thought that getting all three to be in balance was impossible.

A am a perfectionist, and have had the (un)fortunate experience of a few good audiophiles training me in how to spot even subtle distortion. As much as I’ve tried over the years to un-train my ears, such frequency flaws no longer stealthily slip past my senses. The warmth that a loud and undistorted reproduction creates in the soul is impossible to fake.

Yet when I was invited into the small Devialet Phantom demo room at GetGeeked a while back, I was immediately immersed in the magical fingers of Mark Knopfler, and began crawling around the room trying to figure out where he and his guitar were hiding.

Was there a false wall? Did they use Wonka’s ray to fit the whole band inside the speaker? WTF?

As I turned the volume up loud enough to bother the other exhibitors (and the bartender), I kept probing for flaws—any hint of raspy distortion that would mask the true sound of him bending them guitar strings, or muddle the complex sounds of the Zildjian—and heard none.

As the Wired review pointed out, this magic did not disappear when you wandered away from the midpoint between the speakers. The sound stage was nearly everywhere, with those curious silver domes pulsing out nearly the full range equally in all directions.

That’s the sort of experience that it takes to overcome a field of very good competitors and get noticed by the Influencers that outlast the next five fads.

And it was the first technology experience in 18 months that I gave a damn enough to blog about.

Posted in Audio, Delighting Customers, Innovation.

Tagged with .


Commentary on 7 Steps for Effective Brainstorming

In a LifeHacker post from yesterday, Thorin Klosowski proposes A Seven Step Plan for Effective Brainstorming:

  1. Define the problem and solutions space
  2. Break the problem down
  3. Make the problem personal
  4. Seek the perspectives of outsiders
  5. Diverge before you converge
  6. Create “idea resumes”
  7. Create a plan to learn

The substance, and rough order of this is very, very good. However, I believe “Make the problem personal” is too high on the list.

Many technically minded people grab onto the first reasonable problem and first reasonable solution they come across, and are also worse than non-technical types at putting themselves in the shoes of others. To overcome these vision-constraining traits, let’s re-order the list, and throw in one other change:

  1. Define the problem and solutions space
  2. Break the problem down
  3. Seek the perspectives of outsiders
  4. Diverge before you converge
  5. Create “idea resumes”
  6. Goto Step 2 and iterate until you have created a vision and a plan that gets the attention of the above outsiders and has at least one significant USP
  7. Make the problem personal
  8. Create a plan to learn

The two key changes here are adding the iteration at step 6, and postponing making it personal until you can empathize with and understand the outsiders’ problems. Once you truly understand their problems, then it’s the appropriate time to internalize it to the point you feel passionate about the subject.

Posted in Delighting Customers, Innovation, Leadership.


How to Win Customers With a Dab of Glue or Two

It’s known that Apple’s design teams “obsess over corners”—but that level of caring about detail need not be confined to electronics, or even excluded from disposable goods to earn a lasting bond with customers. I noticed this stickiness more than a year ago, but didn’t research its origins until this morning.

Say what you will about Starbucks vs. Peet’s coffee flavor (and do try Clover-brewed if you think the latter always wins out, but that’s another post); however there is more to the coffee experience than just that. Only a bit over 5% of Starbucks customers bring in their own cups or tumblers, which means >90% of customers use a paper or plastic cup. And those getting a hot beverage usually get one of those brown sleeves.

And how many times have you had a non-Starbucks coffee sleeve slip off the cup? How many of you noticed that Starbucks’ sleeves rarely slip off, and then peeled one off to discover why? Probably more than a few, but in googling for coverage of this, I only found one person who wrote about the glue’s impact on the customer experience.

Copywriter Jennifer Rotman blogged about her experience drinking from a coffee cup where the sleeve kept falling off. When she (like I) realized this didn’t happen with Starbucks coffee, she tore off the sleeve and found the little magical Unique Selling Point. In following the trail of the glue, I first found Starbucks’ 2005 patent for the generation of sleeve Jennifer noticed. This patent details some of the complex issues involved in manufacturing the sleeve—most notably the need to use a glue that would melt when placed against a hot cup of coffee, but which could be made to not melt during manufacturing when the sleeve is folded and the hot-melt glue that affixes the ends to form a ring is sealed in close proximity to the flaps. (Search for item “22” in the figures and description.)

That led to finding the press release and other references.

The person behind the Starbucks sleeve is Matthew Cook, of LBP Manufacturing, who is an inventor of many other food industry things, but the magic of the glue came from Henkel Corporation. You most likely do not know the Henkel name, but you know some of their brands: Dial soap, Locktite glue, and a few others.

The net win for Starbucks? This helped win me as a regular customer, but Jennifer said it best:

“If I can avoid hurtling along in traffic at the edge of disaster because of an errant coffee sleeve, I know where I’ll be buying coffee for the commute.”

And that’s the story small, usually unnoticed feature on a 3-cent sleeve won Starbucks a couple of loyal customers who shared their happy tales, gave Starbucks a bit of free PR, and probably won many more customers who noticed the benefit but didn’t bother figuring out why. All with about  1/10th of a cent worth of glue (from the maker of Dial) per cup of coffee.

Further Reading:

Posted in Design, Innovation.


Taped-Up Security

Twice in the past seven days—in the same coffee shop—I have seen two different road warriors plugging away at their notebooks.

With their RSA security tokens blatantly taped to their laptop lids.

The first time I figured it was a fluke. The second time I wondered why I hadn’t seen this before (I probably had, but just didn’t register the significance). These two examples are a great way of highlighting the need to rise above the technical details and see the forest for the trees.

The engineers who originally created the concept of the token solved a very real problem—the need to create a more secure password. The technical solution is brilliant, but being engineers, they didn’t empathize with users who would react based on the inconvenience their little hack caused. Putting it in the form of anything that can be taped to a laptop is probably bad (however rare this is). Putting it in the form of something they wouldn’t dare (a cell phone) is a much smarter idea, for instance.

So when you, as a geek, create something that appears radically different from the previous solution let me offer this advice (once you’ve filed at least a patent disclosure, if you think it might be worthy):

To to a bar with a decent variety of women (by their nature, they think differently from you). Order (and finish) one stiff drink before continuing. Order only weak drinks thereafter.

Offer to buy at least three different women top-shelf drinks (read: anything the bar can make) in exchange for as much time as it takes them to finish (make it 15 minutes if they order a shot). Save the receipt, as this is a proper business expense.

Give them the elevator pitch for your thing–20 seconds max. Then ask them these questions:

  1. Does this invention solve a problem you have?
  2. Does this invention annoy you?
  3. What would you pay for this?
  4. Where would you keep it?

Write down all their answers after each interview. A bar napkin will suffice, and make you seem like less of a geek. Do not take notes on any sort of computing device, though if you must use something more formal, use a Moleskine.

Question 1 answered with a no might be a show-stopper. Either what you created has no value, your elevator pitch sucks (you are an geek, after-all), or your subject is the wrong target audience. Figure out which of the three this is after a handful of interviews.

Question 2 is critical because nobody else asks this. If they answer anything similar to yes, then you haven’t solved their problem (or you have, but have also created a new one). In either case, you’re not done designing. This will take a few more sprint cycles to figure out.

Question 3 directly gets to the value proposition. Don’t give them a multiple choice list unless they draw a blank. Left to their own devices, they might come up with a figur larger than you think you could get. The more this answer surprises you in that direction, the more you should focus on this project and ignore other projects.

Question 4 is designed to be a bit of a double entendre on purpose. Because you’re a geek, and you need practice flirting. But mostly because it’s both a proxy for value (verifying their answer for #3), and designed to illicit actual usage models. If it’s software, and they say “on my desktop”, this probably equates to high usage and value. If it’s a widget, and they say “in my purse”, that probably equates to low value. But if it’s a widget and they say “on my keychain” or “clipped to my purse” then you have a winner. These are highly specific examples, but you get the point—if they would keep it somewhere accessible, then it’s more important than something that would go in their purse, gym bag, car trunk, Start Menu, bottom-left desk drawer, etc.

The exercise I describe may sound silly, but it is designed to be a framework for doing something difficult—to think outside of the box and understand someone else’s perspective.

Posted in Hardware, Security.


To Create Loyal Customers, go OCD over the UI and UX

This is not an article about the design of gadgets or computer peripherals. It is, instead, all about the forgotten items that all of us interact with on a daily basis.

Most importantly, it is aimed at brick-and-mortar business leaders and managers, and the gestation was a 10-foot tall ladder in a drive-through lane.

Chutes & Ladders & Kiosks

The fast food joint where I get my somewhat daily fix of breakfast sausage expanded their drive-through to two lanes a while back—two order stations funneling into one pay/pickup lane with (usually) separate windows for each. At the same time, the owners installed video displays in the car-side intercom kiosks, designed to display the customer’s order in real-time. When the displays are working, and the clerk is proficient, this is an amazingly enjoyable way to order food, for there is little doubt about whether your voiced order has been recorded accurately.

Yet my recent experiences show that this store’s owners don’t have the level of OCD needed to consistently ensure good customer service. You heard me—some level of OCD is desirable for success. It can always be followed to excess, yet if it is moderated and properly focused (as well as explained and guided with a gentle touch), it can have profound effects on business success. This is why Apple designers obsess over even corners of their creations.

This worked very well for several months, until one of the two kiosk displays failed. My reaction was simple; I simply avoided the lane with the dark display.

Then someone started blocking off one of the two lanes with a ladder when traffic was light enough to only warrant one lane being operational. And consistently, the ladder was placed in the only lane with a working display.

I am quite sure there was a very logical operational reason for this that made sense to management and employees. However, the effect was to degrade customer service, and since that is how this company makes money, those decisions, in reality, were incorrect.

Once these problems were fixed, I started noticing other defects—an ad on the order display for a burger that you can’t buy any longer, for instance. Or how I would order an item substituting the American cheese with cheddar, and upon delivering the order, the server would always say, “burger with no cheese, right?”, confusing me and forcing me to double-check my order.

What’s going on here? Very likely it’s this: The store’s training teaches order takers to push the button for “no cheese” whenever a substitution is requested. The result is that the order is reported as three separate lines: 1) burger, 2) no cheese), 3) sub cheddar, and the server (and sometimes the burger-maker) simply reads the first two lines.

How do you fix this? Simple: 1) Train order-takers to not push the “no cheese” button when a customer requests a substitution (the system has a “sub” button, and it works just fine), AND 2) reprogram the software to delete the “no cheese” line as soon as the order-taker presses the “substitute cheese” button.

I’m just guessing, but I rather suspect that this store is behind the curve of corporate expectations for revenue.

In business, it is all too easy to get mired down in the wrong details. The way to rise above this is to step out of your shoes and into a customer’s shoes for a bit, and then go OCD.

In this case, I’d advise the manager to go outside, take a picture of the menu boards (both lanes), and then spend the next couple of weeks ordering everything on the menu, from their car, alternating lanes. Keep a notebook in your pocket, and log everything that doesn’t happen perfectly.

When the list is complete, go find someone with the know-how to fix these problems. However, it can’t be just anyone, and should not be a geek! The fixes need to be designed and done by someone who can implicitly feel the pain and frustration of the customer, and who cares about that far more than operational or management issues. A psych major would be a good starting point.

This much attention to detail is the only way to design great customer experiences, period.

If you’re not enjoying and taking pride in the process, then you’re not quite doing it right. So stop, go talk to some customers (at a franchise where you’re not known!), and figure out what of their experience you haven’t quite comprehended yet.

Now go try a similar test again. When you start to smile when you’re doing this tedious research, because you’re figuring out simple or clever ways to make the customer happy, you are doing the exercise right.

Posted in Service, Uncategorized.