156

It would be easier to ask for a user's password only once during registration.

The problem: The user could make a mistake while typing the password once because of hiding letters.

The solution: The user could have a toggle button for showing or hiding the password.

unmask password

Working example with toggling the visibility of the password. This approach could be used on the registration or login page.

Are there any benefits to asking a user's password twice during registration vs just not masking the password? Why would you ask twice?

P.S. Jakob Nielsen about unmasking the password:

  • Users make more errors when they can't see what they're typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)
  • The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

Update: I created a WordPress plugin which unmasks the password field. So you may use it if you want to.

unmask password

Update 2: WordPress.com use same technique to show and hide password.

Update 3: Internet Explorer 10 added a toggle password visibility icon. It looks like this:

IE 10 password

Update 4: Article about unmask password on smashingmagazine.

Update 5: Example with unmasking password on focus.

webvitaly
  • 3,912
  • 5
  • 23
  • 20
  • 2
    Related: http://ux.stackexchange.com/questions/484/is-a-repeat-password-field-necessary-in-a-signup-page – Ben Brocka May 04 '12 at 14:41
  • 6
    Unlike the other question I've tried to keep this question focused on masking vs unmasked passwords. A problem with the old question is that most of the "answers" are opinions or completely alternate ways to handle the situation (don't have a password, use openid ect). Please keep answers related to the actual question. – Ben Brocka May 04 '12 at 15:13
  • 6
    Better yet, use OpenID and avoid making the user create yet another account. – 200_success May 04 '12 at 17:50
  • 2
    Regarding Nilsen's second point, part b: If the user is copying and pasting from something like KeePass, then there is arguably security gain, not loss. This is also another reason not to have a "repeat password" field: I'm copying it anyway, the enter-twice method is not gonna "catch" any errors (which KeePass, presumably, somehow magically introduced). – Superbest May 05 '12 at 13:37
  • 1
    There's this interesting experiment from The Netherlands that I somehow had to think of while reading the post above. There was this one specific junction where a lot of car accidents would occur. The solution was to remove any traffic signs and warnings. The car drivers would take more notice of the environment and generally pay more attention to what's going on. Applying this to the two password fields, I think 2 password fields make the user less cautious of any typos he or she is making because of laziness. Having just one field will make them pay more attention to what they're putting in. – Nick van der Wildt Sep 11 '12 at 08:23
  • 1
    How about just letting users use their existing identities from Facebook, Google, etc.? – z-boss Jan 03 '13 at 19:42
  • The premise is that since password reset is a lot cheaper/easier than ever, asking the user to repeat their password is no longer necessary? Two things: password reset is much more complicated for a user than simply repeating a password in the first place. If somebody signs up to an unfamiliar site and then can't log in - are you SURE they're going to think they got the password wrong? Or perhaps they'll think this new site they've never used before is just a complete pile of broken rubbish, and never return. What impression would you like to give your users? – Lee Kowalkowski Jan 29 '13 at 22:09
  • @LeeKowalkowski The main idea of this post is to hide or show the password. WordPress chose to show the password and user does not have to input masked (blind) password twice - https://signup.wordpress.com/signup/ – webvitaly Jan 30 '13 at 10:13
  • Do you allow long passwords/phrases? So long, the password field scrolls so that not all of the password is in view? If you do, they're still hidden! Also if it's not hidden, you're probably not using a password field (as in ). So you could be swindling some poor users out of some browser-behaviour also attributed to usability or accessibility (How would you know? You can't experience everybody's set up). Why don't you just stick to what users expect? Password fields are hidden from view for good reason, but now people think they know better? continued... – Lee Kowalkowski Jan 30 '13 at 13:13
  • 3
    ...Revealing my password to me would not help one bit, because I can't verify them. The ONLY way I can verify my password is correct is to type it again. Why? Because I don't know what my passwords are. I play keyboards, my password technique is to pick a tune, and play it as if the QWERTY row are the white keys and the numbers are the black keys (E.g: Inspector Gadget: qw3rt35wr3qw3rti7). All I remember is which tune I'm playing, what key it's in, how much of the tune to play. @Dean's answer below covers this, and is the reason you STILL need to ask for the password twice. – Lee Kowalkowski Jan 30 '13 at 13:19
  • @LeeKowalkowski "Password fields are hidden from view for good reason, but now people think they know better?" - yes, now people knows better because of user testings. "I play keyboards, my password technique is to pick a tune..." - so unmasked password will only help you with your technique. Unmasked password will show if CAPSLOCK is enabled or if language is switched to another and so on. But if there is a spy behind your shoulder [:)], you may hide the password by clicking visibility toggle button. – webvitaly Jan 30 '13 at 23:22
  • They tested all users? Using a real password field will also warn me when CAPSLOCK is enabled. Regardless, there are people that NEED double-entry validation, because their passwords aren't simple to verify like the average person's simple passwords. If you showed any of my passwords to me, I honestly couldn't tell you if it was right or not. I just want to punch it in twice. If visibility is a little check-box option, why isn't double entry? – Lee Kowalkowski Jan 31 '13 at 08:57
  • ...also the article (http://www.nngroup.com/articles/stop-password-masking/) that started this, was about login, not registration. – Lee Kowalkowski Jan 31 '13 at 09:01
  • @LeeKowalkowski You are so conservative :) If everyone would think like you than we would still use font-tag and meta-keywords. Try to type masked password on phone or on keyboard with erased letters and you will understand which approach is better. – webvitaly Jan 31 '13 at 10:01
  • I do type masked passwords on phone, that's the default (last letter reveal is understandable since the keyboard is not conventional). Responsive design would be useful. You don't just go making changes because they suit one platform. The issue is you're jumping ahead of the OS/native offering by unmasking passwords outside of the OS/native facility. People stopped using the font element as soon as the browser offered the alternative, you're deviating from standards before they've been set. Not cool. If unmasking was good, the browser should offer it for all password fields. – Lee Kowalkowski Jan 31 '13 at 15:06
  • "keyboard with erased letters": ha ha, I rarely look at my keyboard anyway... – Lee Kowalkowski Jan 31 '13 at 15:12
  • @LeeKowalkowski "you're deviating from standards before they've been set. Not cool." WordPress.com and Jakob Nielsen already changed that 20-years old standards. Or you know better authorities in usability? :) – webvitaly Jan 31 '13 at 16:36
  • It's not about that, it's a usability observation, the golden rule is not to recommend solutions from them. If password masking is an issue, which I don't doubt, then it's a system-wide issue, not for every web developer to solve independently, inconsistency doesn't help the user. UX is not just web, by the way. Think of password protecting a spreadsheet, there's no simple reset method. Unmasking must be implemented everywhere on a device, and won't always make double-entry obsolete. Solving this is like writing a polyfill before you know what to fill. – Lee Kowalkowski Jan 31 '13 at 22:38
  • The WordPress technique doesn't work on IE8, this might be a poor example (because you probably don't care about usability for those users), but imagine the technique fails in other technologies like automated password storage systems or because the password field is now a normal text field and stored in the browser's form auto-complete database unencrypted. You could do some serious damage (unintentionally I understand). Jakob made a grave error recommending the checkbox, the web form is the wrong place to solve the problem. – Lee Kowalkowski Jan 31 '13 at 22:48
  • @LeeKowalkowski "The WordPress technique doesn't work on IE8" - it is the problem of IE8 and lower. Older IEs cannot change the type of input properly. It was fixed in IE9. "You could do some serious damage" - "masking password" and "encrypting password" is two independent actions and everything depends on browsers behavior but all modern browsers secure this data pretty good. "Jakob made a grave error recommending the checkbox" - you have not so much karma to say such things ;) – webvitaly Feb 02 '13 at 20:21
  • You're unmasking a password by having it cease to be a password field, so a another person could discover it on-screen using autocomplete, regardless of how well a browser has secured the data internally. I don't understand your karma statement, (the Conservative statement did not make sense to me either) I have been following Jakob for a very long time, long enough to know that usability findings are observations, and you can't recommend solutions right off the bat: http://www.nngroup.com/articles/first-rule-of-usability-dont-listen-to-users/. Masked should be the default, reveal, opt-in. – Lee Kowalkowski Feb 02 '13 at 21:56
  • ... at also appears Windows 8 does this natively, I'm very happy to hear that... except wordpress users will probably wonder why it's not there on those password fields. – Lee Kowalkowski Feb 02 '13 at 22:06
  • @LeeKowalkowski "so a another person could discover it on-screen using autocomplete" - param autocomplete=off could be added to password field. "I don't understand your karma statement" - it was joke that you have 150 karma and you are trying to teach Nielsen what is good for users :) "the Conservative statement did not make sense to me either" - I meant that you are protecting old-school approach. Read this topic, you'll gonna like it too ;) http://ux.stackexchange.com/questions/20924/why-isnt-the-remember-me-checkbox-in-login-forms-enabled-by-default – webvitaly Feb 04 '13 at 09:33
  • autocomplete=off does not help the user. The user is the beneficiary of usability. If they're happy to use browser-classic features like password storage/autocomplete/the back button, the web designer's duty is to make sure those features remain available. Nielsen knows what's good for users, but he said password masking must stop, but not you must stop it. You don't mask the password, the OS does. Therefore, the OS must stop masking the password, it's not your fight. He could have made that clear. He's not going to deny if the OS did it everywhere, for all passwords, that would be best. – Lee Kowalkowski Feb 04 '13 at 10:03
  • So I'm not protecting an old-school approach, I'm protecting usability, the guys that are solving the problem in the wrong place are hurting usability. What is 150 karma?!?! – Lee Kowalkowski Feb 04 '13 at 10:07
  • @LeeKowalkowski "OS must stop masking the password, it's not your fight"- I created this topic for people start talking about it and thinking what is better. If developers will not talk about it and will not make it in real projects, than OS maybe will never make this "because nobody talks about it and nobody needs it" :) It is infinite loop which could be started from someone. Many features in web started from web-developers (read about img-tag) and if it is popular and usable, so then W3C make it as a standard. – webvitaly Feb 04 '13 at 11:18
  • @LeeKowalkowski "What is karma?!?!" You have 163 points of reputation, it is your karma - http://ux.stackexchange.com/users/4374/lee-kowalkowski – webvitaly Feb 04 '13 at 11:19
  • That's the first time I've heard it referred to as karma! Reputation is merely an indication of how much time one has available to spend contributing to a certain community, and not a reflection of how knowledgeable or experienced one is. – Lee Kowalkowski Feb 05 '13 at 10:35

16 Answers16

175

We should not ask for password twice - we should ask for it once and make sure that the 'forgot password' system works seamlessly and flawlessly

Roger Attrill
  • 71,049
  • 15
  • 151
  • 246
  • 14
    So if I sign you up for an account and you get a e-mail verification link and don't click it, I should be able to spam you with forgotten password emails? Anyway, you need some other form of identification for your forgotten password feature if password isn't the sole method of authentication. By relying on the forgotten password system like that, you're just making the e-mail so important that we'll need to enter that twice instead. – Janus Troelsen May 04 '12 at 18:20
  • 6
    @JanusTroelsen Plenty of high profile sites manage without entering any details twice - for example ones I'm aware of include twitter, vimeo, gist, kontain, foursquare, digg, freindster, last.fm, stumbleupon, xing, typepad, yousendit, yelp, toggl, tumblr, dropbox, dribbble, bebo, flixster, disqus, harvest, trello, mailchimp, huffduffer, and bang. – Roger Attrill May 04 '12 at 18:42
  • 98
    @Roger - Making someone go through a (perhaps multi-step) password recovery process because they accidentally had CAPS LOCK on or mistyped a letter is a horrible User Experience. Additionally, showing passwords is not secure at all and in any eCommerce setting is bad practice. Having the user type passwords twice with good feedback, a la "Passwords Match!" or similar is common, useful and will provide users with the satisfaction of knowing they didn't mistype. – Tha Riddla May 04 '12 at 15:43
  • @RogerAttrill users also misspell/misstype their emails, unfortunately – frozenkoi May 04 '12 at 19:41
  • 73
    @Tha Riddla If users accidentally have CAPS LOCK on, having them type the password twice most likely won't help… – Ben Hocking May 04 '12 at 21:31
  • 3
    @frozenkoi true, but you can't ask for every field to be filled in twice, even the important fields. For instance; have you ever been asked to fill in your credit card number twice on an ecomnerce site? – JonW May 04 '12 at 21:58
  • 2
    @JonW No - but then again the credit card number is visible the entire time and I can recheck it if I want to. – Dason May 05 '12 at 00:24
  • 23
    @Dason that's kind of my point. Isn't your credit card number more important to you than your password? If passwords are double required in secret masked fields why does nobody care that the credit card number is entered in free visible text only once? – JonW May 05 '12 at 01:41
  • 2
    @JonW: Credit card numbers should probably be masked, but the reason you're only asked to enter them once is because they already contain a CRC. –  May 05 '12 at 08:50
  • 4
    @JonW: because you don't want people looking over your shoulder to be able to read your password, while people can easily discover your credit card number from, well, looking at your credit card? – Marjan Venema May 05 '12 at 08:59
  • 1
    @JonW Usually you type your password or email twice when setting up an account (or changing the field), during which time a forgot-password system is likely unhelpful. The purpose of entering a field twice is so that it's not entered wrong; wrong password/email during account creation leads to an inaccessible account. Entering credit card number wrong won't lead (hopefully) to billing the wrong person, but you can reach that point in the purchasing process and try again (admittedly, it might take a few days to get notified that the credit card # was incorrect). – frozenkoi May 08 '12 at 01:47
  • 1
    I totally agree with @Tha Riddla. Suppose you want to set your password as "hello" but what you types is "jella".... I think you'll not do the same typo mistake two times in a row... – Ankit Mar 17 '13 at 20:17
  • 1
    There's no problem with credit card numbers since they would'nt get trough validation since IBAN numbers have this nice little checksum built in. You pretty much can't make an unnoticed mistake on that one! – Mvision Apr 16 '13 at 16:06
  • @JonW Your credit card number is not really a secret. You give it to the merchant to which you will pay. Passwords, on the other hand, are conceptually a secret. The computer server that you login to typically stores a hash of a password. If you hash your password and give that information to the server, the server can verify it is you, without actually knowing your secret password. – Brandin Aug 24 '18 at 08:48
44

Like Roger says, ideally you can reset your password easily and securely, but there are certain times that's not an option.

If you're not validating email addresses it's more important that their login credentials are correct; if they lose their password it might be game over if they entered fake email information.

Assuming you have to have a password and you care that it's correct, which seems to be the basis of your question, you have two options:

  1. Don't mask and only ask once. This works great on personal PCs as masking has negative effects as you pointed out. Since PCs are largely personal this can be okay for many uses where privacy isn't a large concern.
  2. Mask, but use a confirmation. This is made necessary because of the potential for typos. For a secure login, the overhead of one field is easily outweighed by addressing the edge-case situations of over-the-shoulder reading.

Trust is an issue if you're not masking. In creating a prototype for an HCI course my team actually used this one password field, no masking approach (without thinking; we just didn't know how to mask passwords in the program). Two of our users (out of 10) were concerned that their passwords did not mask as they entered them. Just the act of seeing your own, unmasked password can be sort of jarring; we're all used to seeing it as a set of filled dots, after all.

Password masking is a convention and a certain amount of people are going to freak out if they don't see it, even if the security benefits aren't real, they are assumed. Definitely keep masking for any sort of secure site or when trust is an issue. I would need some good hard data before I'm comfortable with a no-masking approach on any sign up.

Ben Brocka
  • 40,865
  • 10
  • 112
  • 183
  • 4
    I agree that seeing your password in plain text is generally pretty jarring. I did some research to see if I could find any data to support it, but unfortunately most of the plaintext password rage seems to be directed at companies who email you passwords in plaintext. Still, it seems that a few people disagree with Nielsen on this one - the psychological aspects can't be ignored. – kastark May 04 '12 at 15:19
  • 56
    You should *never* be able to recover your password. You should be able to regain access to your account and reset your password. If your password is stored in a way that it can be recovered, it's not stored securely. One-way hashing should be used to transform the original password into something unintelligible. – zzzzBov May 04 '12 at 15:25
  • @zzzzBov agreed, I meant reset. – Ben Brocka May 04 '12 at 15:26
  • @BenBrocka, I figured as much, but it's worth laying down a thick layer of caution for anyone who didn't know. – zzzzBov May 04 '12 at 15:27
  • 1
    @BenBrocka: Could this example solve major part of problems? Problems like: asking password once, showing password for avoiding mistakes and hiding password for security. – webvitaly May 04 '12 at 15:40
  • 1
    @zzzzBov Disagree on the never part. For most use cases one way hashes are the correct option; but when you need to provide application A the ability to automatically connect to application B while masquerading as you your application B password needs to be stored in a reversible form. Configuring one email account to access a second when the latter doesn't offer or has an up charge for forwarding service is probably one of the most common cases for this. – Dan Is Fiddling By Firelight May 04 '12 at 15:49
  • Validating an email address is only relevant to avoiding problems when creating an account. It's not a guarantee of avoiding problems if password is forgotten in the future since there's no assurance that the address is still valid. – Dan Is Fiddling By Firelight May 04 '12 at 15:51
  • 1
    @DanNeely, that's not the same as a password for registration. Google Chrome stores any saved passwords in cleartext, because there's no way to keep a pass-through password secure. – zzzzBov May 04 '12 at 16:02
  • 1
    @BenBrocka - I'm trying to figure out what this sentence means: "For a secure login, the overhead of one field is easily outweighed by addressing the edge-case situations of over-the-shoulder reading." I've read it over and over and it still doesn't make sense to me. Care to explain?

    Why would anything be outweighed by edge-cases? Edge-cases are the things you shouldn't be worrying about.

     – Charles Boyung May 05 '12 at 00:14
  • 3
    @CharlesBoyung, when it comes to security, outliers are just as important if not more important than typical use. If you ignore edge cases as far as security is concerned, then you've left yourself wide open to a wide array of attacks, because attackers certainly won't ignore the edge cases. – zzzzBov May 05 '12 at 18:03
  • 1
    @webvitaly I really like that sort of toggle button personally, but I'm unsure how well it'd fair in the wild. I'd love some data on that; to date I've never seen anything do that, except facebook does something kinda like that if you mis input your password once (on mobile) – Ben Brocka May 09 '12 at 21:17
  • This post is a lot funnier if you expand the PC acronym: This works great on personal personal computers as masking has negative effects as you pointed out. Since personal computers are largely personal this can be okay for many uses where privacy isn't a large concern. – shea Jul 08 '14 at 07:33
  • This guy should know what he speaks about: "On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords" – maaartinus Feb 19 '17 at 01:25
30

I like the way Microsoft handles this in Windows 8. There is a single password field, and a button that displays the password while it is held down. That way, the user can check for typos. If the user enters their password with great confidence, then there is no need to enter it twice or look at it, but people who want to see if they typed it correctly can, and still don't have to type it twice. Because the button acts like a physical normally open switch, it masks the password on release helps keep the unmasked password from prying eyes.

maxathousand
  • 19,484
  • 6
  • 45
  • 65
Owen Johnson
  • 700
  • 5
  • 9
  • 2
    I agree this is a good solution: if you're on your own than you can choose to display the password. If you're in an open plan office you can choose to keep it masked. – PhillipW Sep 06 '12 at 19:44
20

The double-entry system for passwords is standard and consistent, so I don't believe there's any significant usability harm in continuing to ask for it twice.

The purpose is simply verification to prevent the user from making more mistakes than necessary.

Masking and unmasking are not ideal options, as there are times when a user could be registering in a public place, or with people observing them.

As anecdotal support: I have had numerous times where I've signed up for an account at a friend's request, or for a particular class. It's much more secure to type my password twice with it hidden, than reveal hunter2 to everyone.

An alternative is to make the password verification an optional part of the sign-up process. The first entry is good enough, the second is there only as a fail-safe for the users convenience.

zzzzBov
  • 3,029
  • 1
  • 22
  • 30
  • 4
    Another thing about double-entry is that it helps the user remember newly created passwords. – RobC Sep 07 '12 at 17:43
  • 2
    I stopped trying to remember passwords. I just auto-generate them and use a password store the keep track of them for me. Luckely, it auto-fills both password fields automatically with the newly generated password :-) – André Jan 29 '13 at 10:44
14

Unmasking the password does not help for some users. If your password is mydogsname, then sure, but what if your password is 0rt(CH8gd!@$8? Some users use motion based passwords (their fingers follow a pattern) in which case they will not be able to easily notice a typo.

Also, some users use pass phrases instead of passwords, and the length of these will once again make it harder to spot a typo.

Dean
  • 259
  • 1
  • 5
  • It's worth pointing out that these are the only kind of passwords that really afford you a lot of protection. Words in the dictionary and personal information are usually easy enough to crack. Adding a digit at the end or l33ting it is usually only a little better. – rbwhitaker May 04 '12 at 22:02
  • 3
    @rbwhitaker: No, such passwords are terrible because no one can remember them. A random 4 word sequence is as secure as 8 purely random characters, and easier to remember. –  May 05 '12 at 08:55
  • @JoeWreschnig: What you're saying is true. If you can't remember them, or if you have the "PC Sunflower" (with sticky notes of all of your passwords stuck around the edges of your monitor), you have a different set of problems, but they're not very vulnerable to brute force guessing attacks. I, for one, am able to memorize these random passwords just fine. But Dean mentions pass phrases too, which as you, yourself, said, can be pretty effective. I was referring to both of these types of passwords. Either one is much more secure than more "traditional" passwords. – rbwhitaker May 06 '12 at 01:26
  • 3
    One technique that never gets a lot of attention is password algorithms. You don't have to remember anything, since you generate a password based on something specific to what you need the password for. Every site you go to you just need to follow the steps you made up, and you'll get a unique password (most of the time). – Dean May 06 '12 at 04:05
  • 1
    I mostly use completely randomized passwords, and what Dean says is true. I don’t know what a single password of mine looks like. It’s just a sequence of key strokes, done by muscle memory. If I need to remember a password exactly, I have to imagine a keyboard to be able to know it. – poke May 10 '12 at 19:06
  • @Dean true. As an example, I now generate 99% of my passwords using an algorithm, with this open source tool that I designed: http://enlargeyourpassword.com. – Eric Bréchemier Sep 07 '12 at 09:49
11

As Ben said, some users will be disturbed by unmasked passwords, for good reasons.

You could offer a toggle, but that won't really help users in this class. They'll know you intended for them to see their password (not a bug), but that doesn't provide reassurance.

In addition, if using the toggle control interrupts the flow of filling out the form, you have introduced a barrier instead of making it simpler. (Type password) - tab - (type password) is easy and common; is your flow as easy as that?

Another approach: I've never seen this on a desktop machine, but I have noticed that when typing passwords on my phone the device displays only the current symbol, masking the previous ones. I assume this is because of the high rate of inaccuracy on phone keyboards compared to physical ones. Perhaps you might look to see if anybody has explored that kind of interface on a desktop machine as an alternative to the double-entry. (But there will still be some user astonishment there; the first time I typed the first letter of a password on my phone I was certainly surprised.)

Community
  • 1
Monica Cellio
  • 3,702
  • 2
  • 21
  • 32
  • 2
    Why the downvote? – Monica Cellio Jun 12 '12 at 21:09
  • In addition, if using the toggle control interrupts the flow of filling out the form, you have introduced a barrier instead of making it simpler. (Type password) - tab - (type password) is easy and common; is your flow as easy as that? That's easy to prevent. Use tabindex in your input-elements. – Victor Bjelkholm Aug 31 '12 at 19:40
  • @VictorBjelkholm, that's one way to address it. Another it to put the toggle checkbox above the password inputs. The implemenation has to consider this aspect of the UX and we can't take that as a given, unfortunately. I still think it's a bad idea for the other reasons given here. – Monica Cellio Aug 31 '12 at 20:02
  • well, the checkbox would also need to use tabindex or else the username -> tab -> password flow is ruined. – Victor Bjelkholm Aug 31 '12 at 20:29
4

Mistakes while typing the password is the best reason why websites ask the user to confirm their password. In most websites/forms, the second password type validates that both texts match and flashes an error if they don't match.

Read through the link you have mentioned but still toggling the visibility of password is still a security issue and users shouldn't be given an option.

Mayo
  • 6,641
  • 9
  • 30
  • 37
bschandramohan
  • 149
  • 3
  • 1
    "the second password type validates that both the txt matched" - if user switched to french language keyboard accidentally but he wanted to type the password with english letters. So user thinks he is in English but he typed twice french letters. Both "french" passwords match each other and registration was successful but user remember the "english" password. So user cannot login because he cannot enter his "english" password because it is saved as "french". The best solution for this is to give option to show the password and there is no need to ask the password twice. – webvitaly May 04 '12 at 14:42
  • 3
    Agree. I have faced this problem where CAPS LOCK was on for some reason and I just couldn't login later. Retrieve password made me realize the mistake - though I believe we shouldn't have retrive password option at all. It should always be recreate new password. – bschandramohan May 04 '12 at 14:45
  • 2
    @ChandraMohan: that's why many login dialogs now display messages about caps lock, either immediatly, or upon a login failure. – Marjan Venema May 05 '12 at 09:03
2

Windows Phone 7 has an interesting solution to this problem. Typos are so common with the on-screen keyboards that it makes a lot of sense that they spent the extra effort here.

You'll see the last character you typed into the password field for 2 seconds before it turns into a *. I pretty much duplicated this functionality with some JavaScript just now... http://jsfiddle.net/SWortham/rQJaP/13/embedded/result/

Someone looking over your shoulder would really have to have their eyes glued to the screen as you're typing to decipher your password. And yet, for those paying attention to the screen as they type, it'll help prevent the stupid mistakes like having CAPS LOCK on, or simply hitting the wrong key.

(There are some bugs with this when it comes to selecting and deleting the password. With a little more time these things could probably be worked out.)

Steve Wortham
  • 6,133
  • 28
  • 32
  • Pretty good solution of the problem. But I think this example - http://jsfiddle.net/webvitaly/Jdtke/embedded/result/ could solve major part of problems better. Problems like: asking password once, showing password for avoiding mistakes and hiding password for security. – webvitaly May 13 '12 at 18:35
  • 1
    Android and iOS do this as well. It's helpful but not perfect for long passwords; if you type fast it's easy to miss one or more characters. – Ben Brocka May 13 '12 at 19:18
  • @webvitaly - Yeah, I liked that approach as well. I can definitely see pros and cons of each. – Steve Wortham May 13 '12 at 19:46
  • @BenBrocka - I agree, if you're typing fast it's hard to see every letter as you type it. But I do like how it solves certain problems without requiring the user to read and follow additional instructions, or toggle any options. – Steve Wortham May 13 '12 at 19:48
  • Showing characters for 2 seconds is good but think ability to view all characters at once is still very useful if you want to verify the whole password or if you are trying to fix one char in the password. Seeing the last character doesn't help when fixing a password. – Anna Rouben Jun 11 '12 at 18:46
2

Imagine situation like this.

Ordinary user who uses same password for each website (very simple one like 1980) accidentally clicks on show password button. His buddy sees that and logged in to Facebook and posted under his name. User will blame your website and told everyone that it is stupid and useless website. And how you know, one unsatisfied customer is equal to 20 satisfied customers but in a bad way.

TIKSN
  • 171
  • 4
  • I'm not sure what this means regarding asking the password twice though. This situation would still happen if you asked for the password once or twice - if someone sees your password being typed in then it doesn't matter how many times you want people to type it in because if they know the password is 1980 then they'll type that in both boxes. – JonW Mar 17 '13 at 18:02
  • But in a ordinary case user types password in password box. How can other person see your password. My example was about show/hide button. I want to say that it is not a good idea. – TIKSN Mar 17 '13 at 18:53
  • 1
    @TIKSN How often user is registering sitting near his friend? Even if such situation happens user will see after first letter that password is unmasked and will hit the button for mask his password. But even if there are no such button user at least could hide password on the screen with the hand while typing for mask it manually :) – webvitaly Mar 18 '13 at 09:10
  • Will you hide password with your hand? I would not. You have to require as less as possible from user. – TIKSN Dec 22 '13 at 17:38
2

The benefit of asking for the password twice during registration is that, if a user does not use a password manager or writes passwords down, it is easier for him to memorize the chosen password.

In German there is a saying like that knowledge goes from the hands straight into memory.

So if you have already typed the password 2 times during registration and a third time for the first login, the chances are pretty good that the user will remember the password.

SpaceTrucker
  • 148
  • 3
2

Asking for the password twice can lower your form conversion rate. Users end up correcting their input more and making more typos because they can't see the characters they're typing.

This article speaks more about that: Why the Confirm Password Field Must Die. It suggests using a 'show password' toggle button.

ownus
  • 21
  • 1
1

How about give the option to the user? Provide in the form the unmask password or the a "Retype the password" option. Sometimes users are creating a registration and they don't want to use the unmask feature with someone nearby.

FrozenButcher
  • 127
  • 5
1

From what I have seen through multiple usability studies, the biggest issues is that users don't pay too much attention when signing up. The more point of error is the email address. If users mistype their email address they won't be able to recover their account regardless of how well the password recovery module works.

Asking twice (or validating the email/username in whatever way) is far more important.

Mayo
  • 6,641
  • 9
  • 30
  • 37
Davide
  • 561
  • 2
  • 10
  • I agree that the email is the most important part of user registration. But this is the theme for other topic.

    And the main idea of this thread is about masking or unmasking the password.

     – webvitaly Jan 29 '13 at 14:53
1

Good for mobile UX

Another reason that entering a password twice is a good thing when people sign up using a mobile device is the frequency by of user typos. Have you ever tried typing a secure password (non word/phrase) 10 times in a row without errors on a mobile device?

Well sure, you and me can probably do it, but MOST cannot.

Mayo
  • 6,641
  • 9
  • 30
  • 37
bfritz
  • 1,485
  • 2
  • 14
  • 21
0

Why unmasking the password might be bad

  • Shoulder surfing hazard, someone might see the passowrd on the screen as it is being typed if it is unmasked

  • Unmasking doesn't help sometimes if your password is complex, you might still type something thinking you typed something else

Why repeating the password is good

  • You can never make a mistake as the password is verified for both entries
  • Your password is safe from prying eyes as it is masked
ThaSaleni
  • 759
  • 4
  • 6
  • If user accidentally turned on CAPS_LOCK or switched language than typing "wrong" password twice is not good at all. But unmasking the password will show the issue immediately. – webvitaly May 22 '15 at 03:42
  • @webvitaly But does the benefit of seeing what you type weigh more than the risk of having your password stolen? Somewhere in software production we have to compromise and I think compromising usability for security is acceptable, and the inverse is not true – ThaSaleni May 22 '15 at 12:12
  • You are talking like if we should choose one or another. User can have toggle visibility button next to password and this will cover security and mistyping issues with one solution - https://signup.wordpress.com/signup/ But keep in mind that most of the passwords were not stolen by spies behind your shoulder :) – webvitaly May 23 '15 at 07:25
  • well for me, there's a reason why on screen password mask was invented, and that reason is security, so by adding an option to undo that, you are to an extent defeating the purpose of that security, but then again, thats just my opinion – ThaSaleni May 23 '15 at 11:24
  • Internet Explorer 10 added a toggle password visibility icon for every password field and I never heard the issue of millions accounts were hacked because of spies behind the shoulder during last 3 years ;) – webvitaly May 24 '15 at 04:44
  • Well for your information, shoulder surfing is a thing... here's an article http://www.visualdatasecurity.eu/2013/08/shoulder-surfers-leave-no-shadow/ – ThaSaleni May 25 '15 at 09:26
  • Ninjas everywhere ;) And here is the article of the best UX-guy Jacob Nielsen telling that masking password does not increase security and kills usability and cost money to business because of failed logins - http://www.nngroup.com/articles/stop-password-masking/ I believe that in nearest future 1 of these 2 approaches will be dominating. Time will show which approach is better in real life. – webvitaly May 26 '15 at 03:47
  • My question is, who do you trust more with your security concerns? The best security guy or the best UX guy? :) – ThaSaleni May 26 '15 at 13:25
  • Again, there is no need to choose one or another. You may have one solution for security and usability at the same time - https://signup.wordpress.com/signup/ Passwords can be hidden by default and user can unmask it if it is safe. This approach can work perfectly on all forms with passwords or other sensitive data. – webvitaly May 27 '15 at 14:23
  • Repeating password is really annoying on mobile. Especially if it as accompanied by repeating your email. – Todilo Sep 01 '15 at 11:07
-2

you must not ask password at all: generate it automatically and send in welcome email.

  1. its easier for user to start
  2. its more secure

UPD

Why its easier to start.
Here is a worflow of my latest app:

  1. User come to site and open registration form. The only thing we ask is email address.
  2. When email is entered, we send autogenerated password like "fown7ucvd" on email and imideatly autologin user into his account and remembers him (cookies sliding expiration) for 20 days.

As the result:

  1. expremly easy to start
  2. user does'nt have to know at all that "there was a autogenerated password", his just start to explore my app.
  3. user does'nt have to enter any of his favorite password (ussualy one or two) also user does'nt have to enter 12345 in a password field. BTW this is why its most popular password -users are not dum, they just wanted to look at your service without entering a lot of personal data.

Why more sucure: The point about security is when you have one password for all resources, if password gets compromised, ALL data is in danger. So in general its more secure to autogenerate password.

ADOConnection
  • 1,384
  • 7
  • 12
  • 3
  • are you sure that with this "dfi&!ue.jx#%$h@!$df" it is easier to start than with this "chup@dora321" for example? :)
  • "chup@dora321" has almost same level of security that auto generated "dfi&!ue.jx#%$h@!$df". But it is impossible to remember this "dfi&!ue.jx#%$h@!$df" and it is bad UX.
    • – webvitaly May 11 '12 at 10:04
  • Here is a worflow of my latest app:
    1. User come to site and open registration form. The only thing we ask is email address.
    2. When email is entered, we send autogenerated password like "fown7ucvd" on email and imideatly autologin user into his account and remember him (cookies sliding expiration) for 20 days.

    The point about security is when you have one password for all resources, if password gets compromised, ALL data is in danger. So in general its more secure to autogenerate passwords.

     – ADOConnection May 13 '12 at 09:29
  • This is fine but at some point a returning user may like to change their password to something they'll remember. And then we face the same problem for the change password dialog. Do we force the user to type their new password twice, or just once? – Steve Wortham May 13 '12 at 20:03
  • Well, initial question was about asking password during registration. Keyword here is "may like", why whould they like to change password? And also when whould they like to do it? IMO definitely not exactly after registring. When it come to change password (not register) everyone would expect standard fields: new password, confirm password and maybe old password. Its not the same problem, and imho its not a problem at all. – ADOConnection May 16 '12 at 09:57
  • 1
    @ADOConnection - There's basically no chance of a user remembering a password that was randomly generated for them. This will become an annoyance for any returning user. In fact, since you say that you've already implemented this solution I'd be interested to know what percentage of users change their passwords after registering. – Steve Wortham Jun 11 '12 at 19:29
  • 5
    Email is not a secure storage for passwords. It adds all the intermediates between the email server and the email provider into the chain of trust for your site. And what about the password to access the email account itself? – Eric Bréchemier Sep 07 '12 at 10:02
  • @EricBréchemier, You can't speak about security in absolute values "secure" / "not secure". Nothing is absolutely secure. The question is "is it secure enought?". User will decide it himself, if he like, he will keep default password. If not, he will change it. In your case user will have to ALWAYS think about password, in my case this is optional. Please fill the difference. – ADOConnection Sep 07 '12 at 10:08
  • @SteveWortham, user don't have to remember his password, there is checkbox "remember me" for that (proven recognizable UI element). Yep, that would be really interesting, I'll try to get that stat. – ADOConnection Sep 07 '12 at 10:16
  • 2
    @ADOConnection - I have experienced this pattern first hand, and this gave me a bad feeling about the web site, leading me to wonder: if they think it is OK to send a password in plain text, are they also storing it in plain text in their database? And in one case, I was not even able to change the password, keeping the generated password was the only possibility. – Eric Bréchemier Sep 07 '12 at 11:20
  • @EricBréchemier, what was a reason for bad feeling? I see poor implementation problem rather than problem with pattern itself. – ADOConnection Sep 11 '12 at 08:54
  • Personally, I hate auto generated passwords, cause they add an extra step for me in the registration process, of changing the password to one I will remember, it could have been easier if I just enterd my own password to start with. with that said, this approach is not very usable for me. – ThaSaleni May 26 '15 at 13:29
  • @ThaSaleni, it depends of use case. New customers usually want to try your product and see whether it fit their needs. Filling profile or cearfully entering password is not user's primary goal. – ADOConnection May 26 '15 at 15:56
  • Alternatives to this is to have a activation link sent to the user. The user needs to validate his account using a LINK (not a autogenerated password because those are troublesome to copy+paste on mobile devices or trailing space problem). Then when the link is pressed the user is asked to enter a password. This gets the user going right away because he/she only needs to enter email but we still have an email validaiton process and password management. – Todilo Sep 01 '15 at 11:05