A site devoted to discussing techniques that promote quality and ethical practices in software development.

Wednesday, July 29, 2015

Caveat for Link Market Services Registry users using Password Manager

This is a note to any users of Link Market Services Share Registry service that use Password Manager to manage their password.

It seems Link Market Services discourages people using password manager, a practice that is recommended by security experts, and it expects the users to have some sort of psychic power to know why.

Recently, I have encountered an operation that requires me to supply the Transaction Password. Since I used a password manager to generate and record passwords, I simply asked the password manager to transfer the transaction password to the field in the Link Market Services web page. The transfer happened flawlessly but the confirm button remained disabled as if I had not type anything. That's strange. There was no textual guidance and no pop up message box to tell the user what to do.

Not deterred by this, I did some experiments and this is what you have to do if you want to use password manager:
1) Transfer the Transaction password to the field in the normal way your password manager offers.
2) Click on the field and press End key to force the cursor to be positioned to the end of your password. (Or enter a character to the end of the password and immediately removing it from the field)

The minute you have completed step 2, the confirm button is enabled! The web page at that stage does not have a clue if what you have entered a valid  transaction password.

It seems the web page has a user-interface bug failing to recognise the field change event.

This kind of bad user interface design makes your software sucks. If you do not want user to transfer data say via the clipboard, disable the paste operation and offer the users some form of guidance. If your web site does not have a general purpose help e-mail address, you need to make sure the user-interface of your web site to be perfect and idiot-proof.

On the subject of Transaction password, this is their mandated rule:

When you use the settings facility to change the Transaction password and if you use a password manager to generate the new password (highly recommended), after you have transferred the new password to the respective field, execute Step 2 mentioned above. Such action will trigger the script on that page to evaluate the supplied password. It seems the program has a bug similar to that mentioned above.

One wonders if the Link Market's mandated rule can encourage users to choose strong password. If Link Market discourages their users from using password manager, then the users will undoubtedly choose an easy to remember password (that will also ended up to be easily guessed by hacker).

For example the following passwords Pauline1, Password1 or Ab1234567 comply with the rule but according to Microsoft's password checker or Kaspersky's checker,  there are weak passwords. It is therefore better to encourage your users to use password manager rather than forcing them to choose easy to remember one.

Wednesday, July 15, 2015

A tale of two share registries

Every year around this time, the end of the financial year, I, like others, have to prepare share holding statements of my share portfolio for my accountants and this exercise takes me into close contact with the share registries managing the shares in the listed companies.

There are several registries in Australia and some companies use one while the others use a different one. It is not uncommon for a share holder having to deal with multiple registries.

The two largest ones are the ComputerShare and Link Market Services. Both have the facilities to generate holding statement document but they are vastly different in their implementation and this blog post documents my experience showing how one can be so badly designed to meet user's requirement while other is a joy to use.

Both systems offer several log in facilities to access the holding or holdings. Both allow a user to become a registered user and in so doing can let the user to define the collection of shares of interest. They also offer a user a single holding access to just one share's detail using the share identification number called the SRN and other details.

For people with a large share portfolio it is much more convenient to become a registered user. However as to be revealed, it is not always the case when dealing with ComputerShare.

ComputerShare has longer history than Link Market Services but the latter has a far user-friendly user interface that the former.

ComputerShare once had a very functional, though less colourful, system and had served it well. In that system, one could expand the particular share holding and could then enquire the holding at a particular date right there. Several years' ago, ComputerShare decided the functional system needed freshen up and decided to splatter the web site with eye-candy features and introduced an amateurish help system that is actually an insult to the intelligent of its users. More on this later on.

The eye-candy effect caused minimal changes to how holding details are shown to the user and the shares in the portfolio are listed alphabetically, just like the less colourful previous system. As a comparison to Link Market Services the eye-candy effect has not improved the usability one bit as compared to Link Market Service, speaking from someone with a long history of using both.

However, the most radical change in ComputerShare is in the way of generating holding statement  at a particular date. It is not about relocating the access of a feature from one user-interface to another location that is so unusable but the implementation behind that makes this so frustrating to use.

The 'Export Balance Letter' has the following user-interface design:

to let the user to generate the balance statement. For some strange or mismanagement reason, the designer of this piece of user-interface changes the terminology from 'holding' to 'account' in the 'Select Account'. In the opening statement of this user-interface, the designer is still referring them as holdings. The rest of the web site all uses holding to refer to a particular share holding. 'Select Account' should be corrected to 'Select holding' for consistence.

It is not the eye-candy stuff that makes this piece of user-interface totally unhelpful and unusable. It is what lies behind the combo box for the list of holdings (I will refrain from calling them accounts because they are not) that are irritating (and dare I say any users bar the designer).

This piece of implementation is a prime candidate for the book "Why software sucks". If you drop that combo down, any sane person would expect ComputerShare designer to show the share holdings in alphabetical sort order, just like in the Portfolio page.

But surprisingly or rather shockingly, the order seems to be rather random without seeing the code. In my access, the list box in the combo box shows the companies in the list starting with A, C, W, W, A, C, A, P, A, .... S, L. What kind of sort order is that? I managed to talk with someone from ComputerShare about what kind of collating sequence they are using to generate this. The answer, from someone without much conviction, suggested that it might be the order I acquired the share. Even if that is the case, what good does that sort sequence do to the users?

Having worked with many developers in my life I have never seen something as bizarre as this. It is a sloppy piece of work and how hard it is to add an ORDER BY clause on ASXCode column in your SQL statement?

Needless to say the person I talked with from ComputerShare is rather defensive (a trait I have commonly found in some development companies) giving me all other irrelevant excuses like the software has to work in different countries. I am not inexperience in I18n.

If the caller wanted to solicit user feedback to help them with their design, he had used the wrong tactic. No where in my Facebook (borrowing someone's access) message did I say anything about having the ability to download them to a spreadsheet. And yet, this person kept drumming into me of the ability to download into spreadsheet and that features might take some time. I told him all I wanted was for ComputerShare to list the holdings in the list box in alphabetical order - a much easier undertaking that will bring huge benefit. He certainly has failed the user-requirement solicitation process.

Now let's consider how Link Market Service handles this that makes ComputerShare looking like an amateur. Link does not use the algorithmic way of pulling in the share holding relevant for the registered user. Link allows user to pull in holdings of totally different owners as long as one has the SRN and it also allows user to group these holdings, a useful feature not available in ComputerShare.

Hence in Link, one can have BHP, for example, owned by Albert, Mary, Jack and Tom, each with distinct SRN of course.

In Link, the balance statement is located in the 'Balance History' page which contains a similar user-inferface

Once again it is not what hits your eyes that matter but it is in the implementation of that list box in the combo box for the holdings. Link sorts the holdings alphabetically and a sort order I challenge ComputerShare to show me that is less useful.

Rather than to torture myself with the ComputerShare's illogical sort order when I came to compiling the end of the year holding statement for shares managed by ComputerShare, I did not use my registered log in detail. Instead I used the single holding access which seems irrational. Even with having to provide log in details and entering the CAPTCHA for each holding, it is still the quickest and less stressful way to get the job done. This is still might quicker than to navigate through poorly arranged list of holding in ComputerShare.

Not contented with driving their users crazy with their idiotic design, they try to pretend to provide some 'human' assistance; they introduced the 'Ask Penny' which must be built with a penny as it lacks any form of intelligence or  knowledge. If you can't provide an AI assistance, perhaps a general helpdesk e-mail facility is more useful and more capable of giving that human touch. Their 'Contact us' facility is equally useless because it is share-centric.

In sharp contrast, it is a joy to use Link to compile that end of the year holding statements. Thanks for a job well done.

Blog Archive