Blog de sonicbyte

Opinión y tendencias sobre negocios, diseño y avances en Internet

Web forms: Is “repeat password” an obsolete field?

17 January, 2012

It’s still necessary or not the “repeat password” field on an user registration form?
In one of our last meeting about a project we are working on with sonic team, this question arose.

It’s an unnecessary nuisance, an outdated practice or is for a better user experience?

Some arguments to defend its existence:

  • There is more confidence that the user entered the password correctly due to the redundancy of the field.
  • Due the “Password” field behaviour,  user can only see asterisks or dots, so  it is logical then that the user can make mistakes.
  • Users are “used” to complete this field, it’s a convention.

Arguments by which I think is no longer necessary:

  • Why duplicate the trouble to complete this field to all users, when people that misspell password is a minority?.
  • It doubles the chances of making a mistake when typing a second time in the field of testing, which would force repeat the action again without need.
  • If there was an error creating the password, user can always retrieve it. For that reason exists a recovery link or system on every site.
  • The form is more friendly to complete, since there are fewer requirements, fewer options, it looks more “short” and is completed more quickly.
  • There are several client-side solutions (like Javascript) that transform temporarily asterisks or dots in legible characters, reducing the possibility of errors.

    As in this example.

The proposal:

  1. Temporarily allow users to view the entered password (as seen in the example above).
  2. Upon finish the registration process,  an email is sent to validate e-mail account entered and it may include the user’s password, so the user have a record in case of a typo error so he/she can enter without problems.
  3. Finally, the validation link included in the mail could automatically login the user to avoid any initial frustration.

Another prestigious site as A List Apart or eminences, as Jakob Nielsen, web usability consultant, have already published critics and alternatives in the treatment of password related security issues, and how old practices inherited as the password masking, can be detrimental to the usability and hence your business.

Examples of sites that do not use the redundancy of the password field:







Time to change the conventions? What do you think?

Comentarios: 6
  • DeDeDe

    Pienso que mandar la contraseña en texto al email es un error de seguridad grave y que nunca debería almacenarse en el servidor de manera legible o descifrable para nadie, incluidos los administradores de la web…

  • DeDeDe

    Pienso que es un error grave de seguridad enviar la contraseña por email y que además nunca han de almacenarse sin encriptar en el servidor…

  • Visitante

    Concuerdo con devede. Nunca se debe de mandar contraseñas en texto plano

  • Ni

    Mandar la contraseña en abierto por correo, además de ser un fallo de seguridad, sólo empeora el problema por la sencilla razón de que no has confirmado previamente el email. Este debería ser siempre el primer paso. De lo contrario, tendrás la posibilidad de que se envíe una contraseña correcta a un email mal escrito, que puede dar lugar a peores escenarios.

    La “experiencia de usuario” es importante, pero no hay que perder de vista que la seguridad siempre está por delante de la usabilidad.

    Un saludo.

  • david

    Vea pues muy interesante.

  • Anonymous

    Pero la contraseña no se envía por correo electrónico, lo que se envía es un enlace que te lleva a un formulario para crear una nueva. Pienso que los que se equivocan son una minoría.