Why are we typing passwords twice?
We are typing passwords twice because of legacy design patterns we forgot to abandon. There is no reason for why everybody should suffer just because a few can’t type their password correctly. I jump confirmation ship!
I’ve created about ten sign-up forms the last year and all of them has a “Confirm password”-input. My only sure reasons for that extra input field are habit and preconceived ideas.
We are typing our passwords twice because
To find out the reason for the “confirm password” input field I did some light Googling. This is why other people adds an extra password field to their sign up forms.
a) We use this as confirmation that we typed what we meant to type.
b) It is a convention, it is what we expect and therefor get.
c) Web developers are bad habit forming idiots with preconceived ideas
d) if we type it twice we are more likely to remember it.
I am a combination
For me it is a combination. A is probably the original thought behind it, but it is also something that I just expect to be there. But I also think it’s legacy design. Something I should have abandon years ago, or at least when I learned to create a better solution of my own.
A - Confirmation
My guesstimate is that most people actually do type their passwords correctly, even if they only see stars or bullets. If they don’t, they will probably find out soon enough and use the “I forgot my password”-link. I don’t think everybody should suffer just because a few can’t type their password correctly.
B - Convention
It is actually not so much a convention now days as it might have been a couple of years ago. Just look at Virb or Facebook.
C - Idiocy
Most web developers aren’t idiots, but there are somethings we, I at least, do without thinking much about it. One of those things is probably creating an extra input and force you to type your password twice.
D - Memory
No.
Instead of confirm password
One solution is to just kill that extra input, like Virb and Facebook have done. Another is to replace it with a “Show Password”-checkbox using the Show Password Jquery plugin.
People who want a confirmation that they spelled their password correctly can tick the checkbox. Others can ignore it. And that I like, stuff you can ignore if it doesn’t concern you.
Comments
Make a comment
Projects
- Accordion (jQuery)
- Airport (jQuery)
- Chat
- Defaultvalue (jQuery)
- Elastic (jQuery)
- Highlight (jQuery)
- Keycan
- Lazy (jQuery)
- Limit (jQuery)
- Password Strength (jQuery)
- Show Password (jQuery)
- Tabify (jQuery)
- Valid8 (jQuery)
Latest posts
- July 8th, 2009 Why are we typing passwords twice?
- July 5th, 2009 Don’t stop password masking; let the user decide
- June 1st, 2009 You can’t validate email addresses with regular expressions
- May 20th, 2009 Konami Code: Why so verbose, when you can make it in 140 characters?
- May 18th, 2009 Let your users know if Firebug slows down your web page.
Ha, great angle Jan! Indeed I do hate the confirm box and using the [ ] Show password would certainly be more user friendly….
.. or would it? I would like it for sure but judging whats best for the fat part of the bell curve is risky. How about doing som A/B-testing on this one? Actually some thorough testing of several of your ideas, such as this, Show password and Valid8, could lift them from good ideas to solid, point-of-reference facts.
As long as there won’t be heaps of “You are the idiot with bad habbits”-comments below this one I might try to get this logic into our current project.
This is interesting.
entering the password twice can be avoided if we are using the above design pattern. Even if we forget what we gave as our password, there is always a way to get our passwords back using ‘Forgot password!?’ link (most of the popular sites provide this)
… and what about ‘hiding’ password with bullets !?, without this “convention” no need to type it twice ;)
There are (few?) scenarios when you want your password behind bullets. Like when you are logging in on a projector screen infront of an audience. Or when someone might be peaking over your shoulder.
So add a checkbox for show password and if your on a projector or in a public place, leave it hidden, if your at home or sure theres no one else there, show it.
I can’t agree more.
This *disease” has also spread itself to email fields.
password should be shown always or at least be given
a checkbox to show them, like in your example.
Great post, perfect follow-up to your show password jquery plugin. I’ve noticed a lot of sites making you confirm your email address also. You might argue that is more important to confirm, since it’s easy to have a “forgot/reset password” link, but for an incorrectly entered email address, it’s more difficult. As a user who uses texter for entering my email address, though, it’s not as much of a pain for me, but just feels unnecessary.
I think a good start for a sign up is an input field for email and only that, put all the rest after the email activation email. That way it really doesn’t matter if you type in the wrong email. All you have to do is to type in the correct one.
Sounds like you read Jakob Nielsen’s controversial post to Stop Password Masking ( http://www.useit.com/alertbox/passwords.html ), or other blogs that addressed it. Your idea has been all over the web the last few weeks.
Usability is about assisting your target audience. If your audience is young and hip, then you can use your method with few complaints. If your audience is older and/or less computer savvy, then you’re asking for trouble. Some might think your site is less secure because they can see their password. Some have trouble typing correctly because they used to type on a typewriter not a keyboard. Asking those people to find and use the Forgot Password mechanism is like asking them to find a different website to use. Which they will.
Usability is about helping your audience do what they want to do on your site. Don’t mistake your wants for theirs.
Sure did. This was my response to that: http://www.unwrongest.com/blog/dont-stop-password-masking-let-the-user-decide/
But this is a bit of a different problem, but which might have the same solution.
You are absolutely right about that usability is about assisting your audience and that is exactly what I am trying to do by removing unnecessary work. I, obviously, think that that extra input field creates more problem than it solves. So seems a lot of other people (Apple, Microsoft, Virb, Facebook) to think as well.
If your audience have to find (as in look really hard for it) then you have an all different problem. A good idea is to present a very visible link to the “Forgot Password mechanism” next to the login form, and an even more visible link when they try to login in with the wrong password.
I don’t think I am mistaking my wants for theirs. I as a user get annoyed by having to type my password twice and some of the “less computer savvy” people I have talked to don’t even know why they are doing it.
The “letting the user choose” solution that you promote is nice and good, another solution would be to mask as one types(type a letter in clear text, then mask it after n-seconds or after another type).
But all these solutions forget the MAIN reason why password needs a confirmation:
Plain HTML, without javascript, does not allow any of the above solutions. THIS IS THE MAIN REASON web developers choose this in the past, solving typos but also making it compatible across different clients.
Today of course any modern developer will use javascript/flash or other fancy tools, but this pattern is mostly followed because of inertia.
There is another Jquery plugin that works pretty much like that:
http://blog.decaf.de/2009/07/iphone-like-password-fields-using-jquery/
I think it works perfectly on my mobile phone, but on my computer there are times when I want a completely masked passwords:
“There are (few?) scenarios when you want your password behind bullets. Like when you are logging in on a projector screen infront of an audience. Or when someone might be peaking over your shoulder.”
another example of reason C is the reset form buttons. Who needs a convenient way to completely erase a form he’ll fill once?
The real questions is: why are we now typing our email addresses twice?
If people can’t be expected to get their own email address correct while being able to see it in plain sight, how will things be any different by making passwords visible?
Here it is another reaction on JN Alertbox about password fields. It’s on my blog:
http://tribune.majlab.com/code_examples/mask_password.html
It works standalone, without Jquery or similar JS library.
very good!
cool!
The proble with the show password is that your password is not meant to be displayed. Indeed typing your password twice only makes sense if both fiels are password fields, greeking the text you type.
Your own keycan app is using the double password method, perhaps you should update it.
let me think some minutes.. it’s a reall great question and .. if web developer use this method .. i see , yeah, useful..
Rofl, You gotta practice what you preach man, I just had to freakin retype my password on the keycan sign up!
We also read Jakob Nielsen article and decided to use it for our website http://www.chineseteachers.com, but we went even further than you. We decided to show the password by default.
You can see that we have ‘Mask password’, and when clicked, we get two fields, simply because there will be times where you cannot read your password but want to be sure this is right (e.g. when using numbers).
I am with you on unmasking the password but to be honest I am all about entering your email twice. I am in the process of adding that to my site. You would not believe how many people mistype their own email. From a guy that runs an online store here is how it goes…
1. The customer buys something
2. You ship it
3. They don’t get any response and figure the order didn’t go through.
4.They try to log into the website to check their order with their correct email only to find that an account does not exist for that email address.
5. They then either send and a pissed off email wanting to know why you took their money or they simply call and file a chargeback with the bank.
6. They order from someone else
7. When they receive the product they are pissed because they have to send it back and pay shipping or they refuse it and we have to charge them the return shipping.Either way they are pissed.
ALL BECAUSE OF A TYPO…..Yes If entering in an email twice helps cut down on the number of times i have to deal with this situation I am all for it.
just my 2 cents :)
I’ve been writing about the same topic and someone suggested to implement a system which apple uses on its iphones. After every new entry in the textfield, the previous entry changes in a dot.
p
*a
**s
***s
****w
*****o
******r
*******d
This system doesn’t need the extra mouse-click and people can quickly continue with filling in the form without any hassle. You can always read the conversation here: http://www.paulolyslager.com/why-do-passwords-appear-as-dots-in-a-form.
I agree that most developers are creatures of habit and simply add the extra field because we always have. I am very much in favor of the “Show Password” query as a replacement for the redundancy that we are all so accustomed to.
I like it. Anything that reduces the workload for a user is a step in the right direction in my opinion. I’m not really sure that all users (and certainly most clients) would be comfortable in submitting a password that had been typed only once into a masked text box. Clients would be worried about data quality and users (particularly non-proficient users) would be worried about typos.
So although somewhat controversial, I actually agree with father Jakob’s recent(ish) alertbox… Don’t mask passwords (http://www.useit.com/alertbox/passwords.html)… unless of course your application warrants it, for a real or perceived security need. So my approach would be:
1. One password box
2. Non-masked by default
3. Check box to MASK the password
Of course it depends on what and who you’re designing for, but as a default position I think this is good because it:
a) reduces user workload
b) allows a user to visually confirm password is as intended
c) can allay shoulder-surf fears of some users
Just my 2 cents.