Should I ask for the user’s password twice at the time of registration?

Asked

Viewed 241 times

4

In the registration forms, it is common to see the "Enter your password again" field, as a confirmation to make sure that the user has not missed the password entered.

Thinking about the user experience, is this field really necessary? Thinking about the heuristics by Nielsen, for this case, there is no convergence between "error prevention" (heuristic 5) and "aesthetics and minimalist design" (heuristic 8)?

How to apply the error prevention heuristic in this case? Wouldn’t it be a "forgot my password" button in case the user typed it wrong? Or would it really be the "enter your password again" field? And why?

Does this confirmation step add any safety factor to the flow? Again safely, if my form has this field, I should be making this confirmation on the client side, the server side, or both?

Note that I do not seek opinions on the subject, but concrete answers, with reliable sources, and well-grounded in terms of UX.

security-guard ux passwords
  • 1

    Particularly, I believe that a field with the "eye" to reveal the password would already serve as a confirmation. But what if the user is with someone on the side and can’t click there? It’s not such a simple subject.

  • The purpose is to avoid setting a password that was typed wrong by mistake, it seems to me a good security practice, think about how many problem "lost my password", or even "typed my wrong email" (yes, for those cases you have to confirm tbm email)is a fully acceptable confirmation protocol

  • 1

    @Rafaeltavares, what prevents the "user on the side" to look at the guy typing the password? Ends up giving anyway... :-]

  • 1

    @Luizfelipe if it is on cell phone, can give anyway, if it is on computer / notebook, no. It will depend on how fast the person types, how many fingers they use when typing, the hand being in front of the keys etc. Besides, if someone is sitting behind me for an acceptable X reason, they may not be able to see me typing but be able to see the screen. Anyway, a lot of variables, it’s not that simple. I’ve attended a lecture where the presenter typed a password with the tablet connected to the projector and everyone could see what he typed even with the **** * field, are different situations.

  • 2

    Most people type with the indicators and slowly :D, even more with the decay of the use of computers to the detriment of mobile phones. But I agree with you, it is a very complex thing to be solved. I personally I prefer put the second field of confirmation, but I have no basis in the UX perspective for this.

1 answer

5


Every answer about UX has to start with that blah blah that you have to conduct studies, analyze your audience, etc.

Done this and to give a parameter I will resort to UX.SE which is one of the places where most have people specialized in the subject and there I saw some answers.

The majority conclusion is that you should not ask. But I’m afraid of being a perception just because it was the answer accepted and because of that she received many votes.

One of the reasons given is that people cheat this and end up copying automatically, so the mechanism may not work because the person "type" wrong in both and still creates a difficulty for the person who is unnecessary.

What is recommended is to have other ways to solve the problem if the person does not remember the password or has typed it wrong and is not working. One way or another you need to have this mechanism, so just let it.

The idea is that it’s more usable when you just create a burden for the person if they’ve really made a mistake and are having problems because of it. The password recovery system (which does not return the password but lets you change) is more effective. You only pay if you need to. When you ask the person to type twice you pay even doing everything right, and may have to pay again later.

Note that it is not unanimous, some people present problems of this approach, so it has to be well thought out.

One of the problems they said is that the person may have CAPS LOCK on, but you should detect this and warn the person before typing. UX is thinking about solving every problem with the right action, we are engineers even doing UX. Engineer finds the best solution for every problem, does not follow cake recipe.

They also complained that they would have to make the password visible for the person to check, but this should not be done, they should have the option to make it visible at a given time and then the person chooses to do it if they made sure that no one is seeing it or they don’t care about it.

It’s no use forcing people to do something they don’t want to do, they’ll find a way to do wrong if wrong is better for them.

Diferença entre o caminho que desenharam e o que as pessoas usam

Something that is recommended even to confirm the email is the person need to click on link sent to confirm that the email is right and that it is not a misuse of an address. It has several ways to deal with it. It’s a good idea.

One problem that even exists is that the person may not realize that they made a mistake and not know what to do afterwards, and your site has no indication of it, you could lose the user. It’s something to think about. It actually happens in some scenarios. So there is no universal magic solution that works every time and is trouble-free.

An interesting argument to use this mechanism is that it is so widely used that people no longer care. What do you think? I know people hate these lawsuits Sign up.

One solution may be to use an external authenticator and avoid this. It has its problems, it should not be the only way, but it kills your doubt for most cases.

Security

Another solution that obviously has its flaws is not asking the person to type in a password. It solves other security problems. Generate one for him, that’s the one he should use. Have him use a manager, write down in the notebook or ask for the "recovery" every time you go in, which is almost a two factor Authentication, except that he forgot one of the :D factors, but this is a stronger mechanism than just knowing the password.

Don’t think it’s safer to ask for the password twice, it might be more reliable that the person typed right, but not 100% reliable, much less secure.

What can happen when you ask for a typing only and let the person see is that maybe they type longer and harder passwords more easily. When you make it difficult for her to type something she will tend to type smaller and simpler things, and this can affect safety to some degree. Again, the person will circumvent your "protection".

Accessibility

I didn’t see anyone anywhere that I researched discussing this aspect. Curious right?

Maybe asking twice helps those who need accessibility because it is probably the only way she can check if she typed right so as not to expose the password (the other would be the password typed to be spoken, but then everyone nearby can listen). But there are cases and cases.

So maybe it should be optional to type or not.

Concluding

It’s easy to find fallacies in all these opinions, because she saw a problem, but maybe it’s not so relevant.

Every case presented there has its problems, choose its poison. In fact these little rules presented in the answer have some degree of dichotomy, and maybe it is even purposeful, you have to choose which rule is most important. Just don’t rule out creative solutions, even adopting both in some optional way. I’m not saying it’s good, but don’t follow a unique recipe, try, create!

Some things I have kind of clear which usually make up for more, but not this one. Maybe change very little, without thinking of a specific audience.

Some links to follow more discussions and articles from people who work with this:

Browser other questions tagged security-guard ux passwords

You are not signed in. Login or sign up in order to post.