Differentiate user fields on signup form better

(Lukas Reschke) #1

In our discourse forum we setup a User Field asking the user to specify their software version.

This worked nicely, however, the signup screen doesn’t really differentiate this field from the other existing ones. And since it is directly displayed below the “Password” input field many people copy-pasted their password in there and thus leaked it to the public:

We have now removed the User Field again and deleted all existing entries due to people leaking their password. Would it be possible to differentiate this better with some kind of divider or so? Just so that people don’t type their password into the next field since they obviously don’t read the headers.
(Which kinda makes sense since a lot of web applications require someone to type in their password twice so they just do so)

– Lukas

(Jeff Atwood) #2

Sure, I can support adding a divider line here with the following caveats:

  • only on the Create New Account page
  • only when there are “extra” user fields required at signup

can you take that @techapj?

Aside: Lukas, you set minimum password length to five characters? Do you understand how insecure that is? Anyone getting a copy of the database could crack every 5 char password hash from your site on their GPU in a few hours…

(Lukas Reschke) #3

Good point, I wasn’t involved in changing this but I have in mind that some UI and UX people changed this. Let me get that reverted to 10 again and link to this topic in case of complaints. :slight_smile:

(Jeff Atwood) #4

5 is a comically low value. 8 isn’t great but is at least defensible. 10 is what we recommend if you care about your users security…

(Christoph) #5

Don’t forget the accept invite page…

As an aside: Generally speaking I’d say this is something that can be done via CSS but targeting the user fields isn’t always as easy as it could be, especially if a tick-box user field is involved and even more so if you want to target a specific field rather than all of them. So it would be great if each user field could have its own fixed id. And if you change something in the html here, it would probably be a good idea to put each user field into its own box and all user field boxes into one big userfields box. That would greatly improve the possibilities for customization of how they are displayed on the new user/ invite pages.

An option for user field to be hidden in sign up
(Eli the Bearded) #6

This problem has been encountered before:

@Sam had the suggestion that progress should be stopped if a user enters their password twice, which seems a good UI fix.

(Arpit Jalan) #7

Okay, done via: