On a forum with a custom “Pronouns” field enabled, at least one user accidentally pasted their password into the “Pronouns” box.
Presumably they were running on autopilot and pasted their password thinking it was a “password confirmation” field like we’ve been conditioned to do over the last [too many] years.
Perhaps we could help people avoid this mistake by preventing any custom fields appearing after the “Password” field.
Or, run custom fields to ensure they aren’t the user’s password… kind of a weirdly-specific thing to check though.
Exhibit A: meta’s signup form:
Quick update… @nbianca just implemented a validation here:
This means that we will simply reject signups in future if people make this mistake.
Longer term there may be something better we can do in the UI to avoid this upfront, but the big vector here is now sealed.
Can this apply to emails too?
Great suggestion, but I would like to see this fail in the real world before rushing to fix. The position of email makes this less likely to happen.
I can imagine cases where people include emails in custom fields and they happen to be the same email you registered.
I guess a change I support is “check the password/name/username is not the email” - do we have that covered @nbianca ?
Yep. Definitely a few times I have entered the password because I expect a “Confirm your password” prompt, but it’s just a custom field.