I’ve created about ten sign-up forms the last year and all of them has a “Confirm password”-input. My only sure reasons for that extra input field are habit and preconceived ideas.

We are typing our passwords twice because

To find out the reason for the “confirm password” input field I did some light Googling. This is why other people adds an extra password field to their sign up forms.

a) We use this as confirmation that we typed what we meant to type.
b) It is a convention, it is what we expect and therefor get.
c) Web developers are bad habit forming idiots with preconceived ideas
d) if we type it twice we are more likely to remember it.

I am a combination

For me it is a combination. A is probably the original thought behind it, but it is also something that I just expect to be there. But I also think it’s legacy design. Something I should have abandon years ago, or at least when I learned to create a better solution of my own.

A – Confirmation

My guesstimate is that most people actually do type their passwords correctly, even if they only see stars or bullets. If they don’t, they will probably find out soon enough and use the “I forgot my password”-link. I don’t think everybody should suffer just because a few can’t type their password correctly.

B – Convention

It is actually not so much a convention now days as it might have been a couple of years ago. Just look at Virb or Facebook.

C – Idiocy

Most web developers aren’t idiots, but there are somethings we, I at least, do without thinking much about it. One of those things is probably creating an extra input and force you to type your password twice.

D – Memory

No.

Instead of confirm password

One solution is to just kill that extra input, like Virb and Facebook have done. Another is to replace it with a “Show Password”-checkbox using the Show Password Jquery plugin.

People who want a confirmation that they spelled their password correctly can tick the checkbox. Others can ignore it. And that I like, stuff you can ignore if it doesn’t concern you.

There are several reasons to why there cannot be a perfect regular expression for validating email addresses. Firstly; the official standard, RFC 2822, just tells the basic email address syntax; john@doe.superman is a valid email address according to RFC 2822. Also the standard support characters, like ” and [, that some email clients can't handle.

Secondly and more importantly; even if the email matches a perfect regular expression, there are no guarantees that the email address belongs to the user, or even exists.

With all that said I still believe live javascript-based email address checking using regular expressions is a good idea. You can use it to prevent users from doing unnecessary typos. You don't have to force them to pass the validation, just let them know if you suspect the email to be faulty. Try the demo, created with the Jquery plugin Valid8, above and you will see what I mean.

/^[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+(aero|asia|biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel.ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|ax|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|er|es|et|eu|fi|fj|fk|fm|.fo|fr|ga|gb|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|.il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|me|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|rs|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|su|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tl|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw)\b$/

Above is the regular expression I use. It is heavily based on a regexp from regular-expressions.info

How do I validate email addresses if not with regular expressions?

Sending an email activation link is a perfect way of validating an email address. You email a link the user have to click on to complete the registration. The link should be disposable and often look like this: http://www.unwrongest.com/signup/?guid=8373629375284563

Never trust client-side validation

Lastly. Remember that you can never, ever, trust client-side javascript validation. It is very easy to tamper with. All validation you do on the client-side has to be done again on the server-side. Client-side validation should be mainly for the users sake.