Why should we ask the password twice during registration?

  • It would be easier to ask for a user's password only once during registration.

    The problem: The user could make a mistake while typing the password once because of hiding letters.

    The solution: The user could have a toggle button for showing or hiding the password.

    unmask password

    Working example with toggling the visibility of the password. This approach could be used on the registration or login page.

    Are there any benefits to asking a user's password twice during registration vs just not masking the password? Why would you ask twice?

    P.S. Jakob Nielsen about unmasking the password:

    • Users make more errors when they can't see what they're typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)
    • The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

    Update: I created a WordPress plugin which unmasks the password field. So you may use it if you want to.

    unmask password

    Update 2: WordPress.com use same technique to show and hide password.

    Update 3: Internet Explorer 10 added a toggle password visibility icon. It looks like this:

    IE 10 password

    Update 4: Article about unmask password on smashingmagazine.

    Update 5: Example with unmasking password on focus.

    Unlike the other question I've tried to keep this question focused on **masking vs unmasked passwords**. A problem with the old question is that most of the "answers" are opinions or completely alternate ways to handle the situation (don't have a password, use openid ect). Please keep answers related to the actual question.

    Better yet, use OpenID and avoid making the user create yet another account.

    Regarding Nilsen's second point, part b: If the user is copying and pasting from something like KeePass, then there is arguably security *gain*, not loss. This is also another reason not to have a "repeat password" field: I'm copying it anyway, the enter-twice method is not gonna "catch" any errors (which KeePass, presumably, somehow magically introduced).

    There's this interesting experiment from The Netherlands that I somehow had to think of while reading the post above. There was this one specific junction where a lot of car accidents would occur. The solution was to remove any traffic signs and warnings. The car drivers would take more notice of the environment and generally pay more attention to what's going on. Applying this to the two password fields, I think 2 password fields make the user less cautious of any typos he or she is making because of laziness. Having just one field will make them pay more attention to what they're putting in.

    How about just letting users use their existing identities from Facebook, Google, etc.?

    The premise is that since password reset is a lot cheaper/easier than ever, asking the user to repeat their password is no longer necessary? Two things: password reset is much more complicated for a user than simply repeating a password in the first place. If somebody signs up to an unfamiliar site and then can't log in - are you SURE they're going to think they got the password wrong? Or perhaps they'll think this new site they've never used before is just a complete pile of broken rubbish, and never return. What impression would you like to give your users?

    @LeeKowalkowski The main idea of this post is to hide or show the password. WordPress chose to show the password and user does not have to input masked (blind) password twice - https://signup.wordpress.com/signup/

    Do you allow long passwords/phrases? So long, the password field scrolls so that not all of the password is in view? If you do, they're still hidden! Also if it's not hidden, you're probably not using a password field (as in ). So you could be swindling some poor users out of some browser-behaviour also attributed to usability or accessibility (How would you know? You can't experience everybody's set up). Why don't you just stick to what users expect? Password fields are hidden from view for good reason, but now people think they know better? continued...

    ...Revealing my password to me would not help one bit, because I can't verify them. The ONLY way I can verify my password is correct is to type it again. Why? Because I don't know what my passwords are. I play keyboards, my password technique is to pick a tune, and play it as if the QWERTY row are the white keys and the numbers are the black keys (E.g: Inspector Gadget: qw3rt35wr3qw3rti7). All I remember is which tune I'm playing, what key it's in, how much of the tune to play. @Dean's answer below covers this, and is the reason you STILL need to ask for the password twice.

    @LeeKowalkowski "Password fields are hidden from view for good reason, but now people think they know better?" - yes, now people knows better because of user testings. "I play keyboards, my password technique is to pick a tune..." - so unmasked password will only help you with your technique. Unmasked password will show if CAPSLOCK is enabled or if language is switched to another and so on. But if there is a spy behind your shoulder [:)], you may hide the password by clicking visibility toggle button.

    They tested all users? Using a real password field will also warn me when CAPSLOCK is enabled. Regardless, there are people that NEED double-entry validation, because their passwords aren't simple to verify like the average person's simple passwords. If you showed any of my passwords to me, I honestly couldn't tell you if it was right or not. I just want to punch it in twice. If visibility is a little check-box option, why isn't double entry?

    ...also the article (http://www.nngroup.com/articles/stop-password-masking/) that started this, was about login, not registration.

    @LeeKowalkowski You are so conservative :) If everyone would think like you than we would still use font-tag and meta-keywords. Try to type masked password on phone or on keyboard with erased letters and you will understand which approach is better.

    I do type masked passwords on phone, that's the default (last letter reveal is understandable since the keyboard is not conventional). Responsive design would be useful. You don't just go making changes because they suit one platform. The issue is you're jumping ahead of the OS/native offering by unmasking passwords outside of the OS/native facility. People stopped using the font element as soon as the browser offered the alternative, you're deviating from standards before they've been set. Not cool. If unmasking was good, the browser should offer it for all password fields.

    "keyboard with erased letters": ha ha, I rarely look at my keyboard anyway...

    @LeeKowalkowski "you're deviating from standards before they've been set. Not cool." WordPress.com and Jakob Nielsen already changed that 20-years old standards. Or you know better authorities in usability? :)

    It's not about that, it's a usability observation, the golden rule is not to recommend solutions from them. If password masking is an issue, which I don't doubt, then it's a system-wide issue, not for every web developer to solve independently, inconsistency doesn't help the user. UX is not just web, by the way. Think of password protecting a spreadsheet, there's no simple reset method. Unmasking must be implemented everywhere on a device, and won't always make double-entry obsolete. Solving this is like writing a polyfill before you know what to fill.

    The WordPress technique doesn't work on IE8, this might be a poor example (because you probably don't care about usability for *those* users), but imagine the technique fails in other technologies like automated password storage systems or because the password field is now a normal text field and stored in the browser's form auto-complete database unencrypted. You could do some serious damage (unintentionally I understand). Jakob made a grave error recommending the checkbox, the web form is the wrong place to solve the problem.

    @LeeKowalkowski "The WordPress technique doesn't work on IE8" - it is the problem of IE8 and lower. Older IEs cannot change the type of input properly. It was fixed in IE9. "You could do some serious damage" - "masking password" and "encrypting password" is two independent actions and everything depends on browsers behavior but all modern browsers secure this data pretty good. "Jakob made a grave error recommending the checkbox" - you have not so much karma to say such things ;)

    You're unmasking a password by having it cease to be a password field, so a another person could discover it on-screen using autocomplete, regardless of how well a browser has secured the data internally. I don't understand your karma statement, (the Conservative statement did not make sense to me either) I have been following Jakob for a very long time, long enough to know that usability findings are observations, and you can't recommend solutions right off the bat: http://www.nngroup.com/articles/first-rule-of-usability-dont-listen-to-users/. Masked should be the default, reveal, opt-in.

    ... at also appears Windows 8 does this natively, I'm very happy to hear that... except wordpress users will probably wonder why it's not there on those password fields.

    @LeeKowalkowski "so a another person could discover it on-screen using autocomplete" - param autocomplete=off could be added to password field. "I don't understand your karma statement" - it was joke that you have 150 karma and you are trying to teach Nielsen what is good for users :) "the Conservative statement did not make sense to me either" - I meant that you are protecting old-school approach. Read this topic, you'll gonna like it too ;) http://ux.stackexchange.com/questions/20924/why-isnt-the-remember-me-checkbox-in-login-forms-enabled-by-default

    `autocomplete=off` does not help the user. The user is the beneficiary of usability. If they're happy to use browser-classic features like password storage/autocomplete/the back button, the web designer's duty is to make sure those features remain available. Nielsen knows what's good for users, but he said password masking must stop, but not you must stop it. You don't mask the password, the OS does. Therefore, the OS must stop masking the password, it's not your fight. He could have made that clear. He's not going to deny if the OS did it everywhere, for all passwords, that would be best.

    So I'm not protecting an old-school approach, I'm protecting usability, the guys that are solving the problem in the wrong place are hurting usability. What is 150 karma?!?!

  • We should not ask for password twice - we should ask for it once and make sure that the 'forgot password' system works seamlessly and flawlessly

    @Roger - Making someone go through a (perhaps multi-step) password recovery process because they accidentally had CAPS LOCK on or mistyped a letter is a horrible User Experience. Additionally, showing passwords is not secure at all and in any eCommerce setting is bad practice. Having the user type passwords twice with good feedback, a la "Passwords Match!" or similar is common, useful and will provide users with the satisfaction of knowing they didn't mistype.

    So if I sign you up for an account and you get a e-mail verification link and don't click it, I should be able to spam you with forgotten password emails? Anyway, you need some other form of identification for your forgotten password feature if password isn't the sole method of authentication. By relying on the forgotten password system like that, you're just making the e-mail so important that we'll need to enter that twice instead.

    @JanusTroelsen Plenty of high profile sites manage without entering any details twice - for example ones I'm aware of include twitter, vimeo, gist, kontain, foursquare, digg, freindster, last.fm, stumbleupon, xing, typepad, yousendit, yelp, toggl, tumblr, dropbox, dribbble, bebo, flixster, disqus, harvest, trello, mailchimp, huffduffer, and bang.

    @RogerAttrill users also misspell/misstype their emails, unfortunately

    @Tha Riddla If users accidentally have CAPS LOCK on, having them type the password twice most likely won't help…

    @frozenkoi true, but you can't ask for *every* field to be filled in twice, even the important fields. For instance; have you ever been asked to fill in your credit card number twice on an ecomnerce site?

    @JonW No - but then again the credit card number is visible the entire time and I can recheck it if I want to.

    @Dason that's kind of my point. Isn't your credit card number more important to you than your password? If passwords are double required in secret masked fields why does nobody care that the credit card number is entered in free visible text only once?

    @JonW: Credit card numbers should probably be masked, but the reason you're only asked to enter them once is because they already contain a CRC.

    @JonW: because you don't want people looking over your shoulder to be able to read your password, while people can easily discover your credit card number from, well, looking at your credit card?

    @JonW Usually you type your password or email twice when setting up an account (or changing the field), during which time a forgot-password system is likely unhelpful. The purpose of entering a field twice is so that it's not entered wrong; wrong password/email during account creation leads to an inaccessible account. Entering credit card number wrong won't lead (hopefully) to billing the wrong person, but you can reach that point in the purchasing process and try again (admittedly, it might take a few days to get notified that the credit card # was incorrect).

    I totally agree with @Tha Riddla. Suppose you want to set your password as "hello" but what you types is "jella".... I think you'll not do the same typo mistake two times in a row...

    There's no problem with credit card numbers since they would'nt get trough validation since IBAN numbers have this nice little checksum built in. You pretty much can't make an unnoticed mistake on that one!

    @JonW Your credit card number is not really a secret. You give it to the merchant to which you will pay. Passwords, on the other hand, are conceptually a secret. The computer server that you login to typically stores a hash of a password. If you hash your password and give that information to the server, the server can verify it is you, without actually knowing your secret password.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM