“Tell me as soon as I’ve entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I’ve screwed up? You’re the computer, remember? This is what you’re good at.”
Err… if you did that then people would be able to guess the key using trial and error one character at a time.
Dare I ask if you modified the serials you provided at the top of the post? I mean, not to imply that such a thing would be, basically, distributing serials, but… uh…
If you’re going to implement multiple text entry boxes that automatically focus on the next field when the current field is filled, don’t make it insanely stupid to go back and EDIT a previous field. I’ve had to enter registration keys that automatically moved focus to the next field when then current field had 5 characters in it. A mistyped 5th character means you can NEVER go back and edit that field (not without some fancy, stupid fast keyboard tricks to hit delete or something before the focus changes).
My favorite is shift-tab to backup to the last field, and it moves back to the current field because the last field is full. Who tested this crap?
Did you just give us a bunch of valid install keys? 
When serious organizations lock down software, they do it with hardware. In the old days it was a parallel port extender filled with epoxy, and today it’s USB keys. No CD key code to hassle with, and it can’t be posted to a forum and shared.
If you want to force the digital world into an 18th century view of property law (you know, can’t be copied and shared, it’s “property” that is non-the-less licensed, etc…) just make a physical key.
Or you could get Linux, and get on with life.
@J. Stoever-
“DOS and Unix, anyone?”
Microsoft actually purchased exclusive rights to 86-DOS in 1981.
As far as stealing from UNIX- After reading Jeff’s posts on virus protection being pretty much unnecessary if we’d all stop running as Admin… I can’t help but feel that Windows would be much better if they HAD. 
I like to keep my possessions to a minimum and so dispose of packaging and put CDs and DVDs into a carry case.
You can imagine my annoyance when my Vista and Office 2007 retail boxes wouldn’t let me peel off the serial number to stick into my carry case. It’s like a piece of plastic with a sticker on it is somehow my proof of purchase…
Don’t get me started on how Vista wants to reactivate every time I boot it natively on my Mac as opposed to being virtualed… (each switch effectively deactivates it and makes Microsoft think it’s been pirated onto yet another machine)
[)amien
The first thing I do is take a sharpie and write the key onto the cd.
For shareware my preferred key is the giant block of text that gets pasted in. And let the username and key be in the same block. After all, I am just going to paste it in from a registration email, and dont really want to spend time filling in multiple textboxes.
“Tell me as soon as I’ve entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I’ve screwed up? You’re the computer, remember? This is what you’re good at.”
I remember the good old days where the reg key was just a checksum digit so you could type in N-1 numbers and then just change the final digit from 0-9 until it ‘passed’
I regularly spend time at work maintaining the license file + dongle-protection scheme for our commercial software, and giving support when problems arise. I also know that our protection scheme can be trivially broken with a good debugger. From this experience I feel that copy-protection is a collosal waste of effort. Not that I have any say in it.
Wouldn’t it make more sense to pay for the development of software instead of for the copied bits, and not restrict copying? But it turns out that’s not what happens. Apparently it is even an accepted business practice not to get the source code (except in escrow) when you let contracters develop custom software for internal use! Boggles my mind.
I’m pretty sure every commenter here has missed the point.
“Tell me as soon as I’ve entered a bad value in the key. Why should I have to go back and pore over my entry to figure out which letter or number I’ve screwed up? You’re the computer, remember? This is what you’re good at.”
Note the phrase “bad value”. I doubt Jeff is advocating validating one character at a time…I can’t imagine he would make that elementary of a mistake (apologies if you did :P). I would tend to assume that he instead means alert the user if a character outside the set of valid characters is entered. So if it accepts all alphanumeric characters except 1, l, 8, and B, throw up a warning as soon as a user enters one of those.
2wcoenen
“Wouldn’t it make more sense to pay for the development of software instead of for the copied bits, and not restrict copying?”
Actually 75% of software industry works just that way. Customer pays for development of software, not for license.
Personally, I think that if anything dooms commercial software, it’s the attitude that it is ok to make it harder for honest users to use your product than free, open-source alternatives.
Forcing people to manually enter registration keys is barbaric. Plenty of commercial applications do just fine with server based systems where you are emailed the key. Hell, some commercial applications do just fine without any copy protection at all.
One of the reasons I bought a console and no longer game on the PC is that I can no longer play some of the games I purchased because I lost the key. No. Wait. That isn’t true. I could play any one of them merely by going and downloading one of the cracked copies. If it is true that people will pay nothing for software if they can get away with it, then commercial software is doomed, because anyone with a web browser and google can get cracked versions of any popular commercial software application.
Copy protection, especially intrusive protection like manually entered keys, stops no pirates, is a waste of coding resources and drives your customers into open-source alternatives. If you do it, prepare not to sell any copies to people like me, who are sick and tired of being treated like criminals. We’ll be happy to go spend our money at vendors who actually trust their customers.
I’ve never paid for PC software (expect pre-installed Windows). I actually tried to pay for software a few times, but it was always too difficult. Piracy was just easier. (Since moving to Linux, I don’t even pirate anymore. FOSS gives me everything I need.)
To actually have any affect on piracy (among individuals), you’re going to have to make buying and registering your software easier than pirating it. If pirating your software is extremely easy, you’re really going to have your work cut out for you.
I don’t understand why I can’t just go to a website, enter in my credit card information, and download an installer that knows the registration key and can activate through the web on its own. Why does the registration key have to come separate from the installer? Why do I have to manually combine them? I see no reason for having them separate.
If you don’t do this for your users, they’re just going to end up pirating your software.
I think I’d complain more about having to re-install software for most upgrades of Windows OSes.
Any chance that Vista CD Key has a few activations left on it? 
there has to be some kind of enforcement in place.
Really? You assert no users would buy the software, but in the cited 110:1 example, less than 1% bought it, even when there was a serial number scheme in place. It seems pretty darn pointless. Dongles are just annoyances to those few users who don’t get a cracked copy instead. In fact I’ve seen users who used a cracked version even though they had a legit copy, because the dongle caused problems that the cracked version did not.
Microsoft is in the very unusual position of having its product almost always be preinstalled by a third party for the user, who is not in a position to know or care whether that third party actually paid Microsoft for a license. For the average app developer, you’re dealing directly with your customer, who has to deliberately pay you, or to seek alternatives such as piracy. Also, Microsoft’s Genuine Advantage is expensive (call centers required to sort out false negatives, etc.) and widely hated, but people put up with it because they have little choice. For an ordinary developer, running a support call center would be costly and the customer irritation of a draconian registration/activation scheme would be hard to justify. As a result it’s probably not useful to most developers to look at how Microsoft handles piracy for guidance.
I’d be interested to see any hard data that anyone knows about that compares unprotected commercial apps vs. “nagware” shareware vs. serial number protected software vs. dongle software.
I did find a comparison of “honor system” shareware vs. “nagware” shareware which was interesting. Summary: nagging works.
http://hackvan.com/pub/stig/articles/why-do-people-register-shareware.html
My suspicion is that due to digital distribution of cracked software, copy prevention schemes are a complete waste of money, except in odd cases like Windows, and developers should instead rely on nagware that trusts the user when the user claims to have paid (instead of requiring a registration code). But I have no data to back up this hunch.
I will admit I’ve pirated software. However, I agree with using activation keys, and all software I use on a daily basis has been acquired legally. The way I see it, if you go into a store, say Futureshop, and want to purchase some Memory, you have to get the person to open the showcase for you. You can’t grab it yourself and head off to the cash register. Why? Because they don’t want you to steal the damn thing. So what if I have to spend 30 seconds typing in a key that lets me use the software.
I agree its a good idea to make inputting the code easy, like using legible fonts, and sizes.
I have to disagree with some of the comments here: “Copy protection, especially intrusive protection like manually entered keys, stops no pirates, is a waste of coding resources and drives your customers into open-source alternatives.” Absolutely, it doesn’t stop pirating, no doubt there, but to go back to my Memory analogy, the waste of coding resources is like building the showcase. I could smash the case, and then book it out of the store. But to most customers, would you rather smash the thing and run, or tell the employee your going to buy something? If a customer saw some guy on a street corner selling memory, would you buy it/take it, or would you rather trust the memory in the store, in the shiny showcase, that you know hasn’t been messed with?
That point hits on multiple levels. Is pirated code safe? It could be, but there is no absolute answer. Would you rather use code that was built specifically as a job task - i.e. the coder was paid to do it, or would you rather use the code that was built on the off hours of the coder who was being paid to build another application? Some open source projects are actually built quite well - ok a lot are. I’ll even say linux is built fairly well. But, I don’t think I could trust code that was built as a hobby.
Enough of that rant, the original purpose was simply to agree that better key management is deffinately a UX bonus.
Why not suggest that the registration key is entered on some normalized document - for instance a credit-card like piece of plastic, or a business card.
This way, you can store all your registration keys inside a dedicated wallet, making registration key management a lot easier.
I recently implemented a registration key scheme for a tiny digitial image management utility I developed, called CardSharkV. Entering the key is done by dragging and dropping a keyfile onto a field in the application. You can drag the file either from Windows Explorer or an email client (the key is delivered via email). I thought this was a good way of avoiding most of the problems Jeff mentions in this article.
I’m actually looking for some feedback both on the utility itself and on the usability of the registration key mechanism. If anyone is interested in taking a look, please check out my blog.