User do not have to confirm password

(Yves `M'vy` Stadler) #1

It seems that users don’t need to confirm their password. It might be delicate if a user were to make a typo. It would force him to use the password recovery system which imply using email again.

Instead, we can avoid this by setting a “confirm password” field.

Confirm password when signing up
(Sam Saffron) #2

On the other hand, if I user does not typo his password she does not need to type it in twice.

Its a balancing act, personally I very much dislike needing to type stuff in twice just to account for the n% of times I typo stuff.

Also, what is stopping the user from typoing her password twice, a third password confirm field perhaps :slight_smile: ?

Why Doesn't Discourse Have a "Confirm Password" Section During The Signup Process?
(Yves `M'vy` Stadler) #3

Maybe, but unless you have some serious issue (capslock, wrong keymap), there is less chance to do the typo twice. It shall gain so much time to take time to type the password twice rather than going wrong on first, trying for x times trying to login, be blocked (eventually?), then realise “Oh, I may have mistyped the first time, let’s call password reset.”

Anyway, I think it’s better to avoid having to deal with the problem when it can be done with that little thing. And regarding a third field, I don’t think this is increasing statistics very much.

(Bogdan Opanchuk) #4

Wouldn’t it be better to add a button which shows the typed password? For me personally the second field does not seem that useful. I usually type the password without thinking about it (like many people, I assume), so if I make a typo it’s because of some mistake in the sequence of finger movements, which I’m very likely to repeat when I fill the second field a moment after.

Show password (optional)
(Sam Saffron) #5

Let’s have a look at what the big guns do:


(confirm email)


(confirm both email and password)


(confirm nothing)


(A world of pain)



Of all these services we are most closely related to Linkedin and Twitter, we are not taking anyone’s money or bartering sales.

Out-of-the-box we chose to emulate twitter and Linkedin in this respect, that said, Discourse is a system of rainbows a PR that adds toggles there would be considered and plugins to amend this are also fine.

(Sam Saffron) #6

I strongly suspect this is very dangerous, I have yet to have seen a registration system in the wild with that functionality. Users may be surprised to see such a function and not trust us as much with their passwords.

(Jeff Atwood) #7

I think that’s kind of an exaggerated position to take… it is quite common on mobile to show the last character typed in the password field and I do not think it is dangerous at all to have a “reveal password” button next to the password field.

I’m pretty sure I’ve used other services with a “reveal hidden password” button on the entry form.

Note that nobody is arguing for a reveal password button on the user page just on the place where you type it in the first time and possibly and make typos.

(Sam Saffron) #8

All I am saying is, show me one place in the wild in a top 100 websites that does it.

(Jeff Atwood) #9

Every mobile device does it… it’s a per-device thing. Show me one iPhone that does not show the characters in your password field as you type them… can you? :wink:

(Sam Saffron) #10

Well, that still works here as well :wink: no need to make any changes.

(Jeff Atwood) #11

Incorrect – we can make every device as nice as an iPhone by defaulting to a friendlier behavior. Otherwise they all have to go out and buy expensive, fragile, small battery and screen iPhones…

(Sam Saffron) #12

The iPhone has no “reveal password” button. It just reveals the key you last pressed, once it hides it, it is hidden forever.

We could emulate such a control, but it seems kind of pointless on the desktop.

(Jeff Atwood) #13

It’s not pointless, because there is only one field, so no way to cross-check if you typed what you think you typed.

And if you watch the field as you type in the password on an iPhone, you indeed see the entire password. If I was watching you type in your password on your iPhone, would I know it? Yes I would.

Assuming the reveal button only reveals the password for a few seconds, that is exactly the same as the “while you are typing” window of someone getting your password on an iPhone.

Anyway, the point is to make it easier on users and give them the ability to check their password without typing it twice. Both of these approaches do that. One ships by default on the iPhone and you don’t seem to have a problem with it, so I don’t see what the issue is.

(Bogdan Opanchuk) #14

Do you mean “dangerous” as in “insecure”, or as in “will affect the platform’s popularity”?

I can agree with the first, to some extent — because if someone is watching you type, he can also pick up the password by looking at your fingers (or even recording them on video, if we’re being completely paranoid). On the other hand, if nobody is looking over your shoulder, this is much more error-prone than typing your password the second time.

As for the second:

I must admit it seems completely illogical to me.

Also, speaking of examples of such system, it is used in OSX (perhaps in other systems too) when you are entering the WiFi password. Not a website, of course, but still.

(Sam Saffron) #15

… Actually … IE10 already implements this:

I think we better just leave this to browser vendors to catch up as opposed to building special hacks for webkit and firefox.

The IE10 implementation is quite robust, for example it goes away when you lose focus (assume there is also a timeout there)

(Alexander) #16

AT&T Wireless’s site does this on the desktop, and I think it’s 100% bizarre.

I could have sworn I noticed a site that shows the whole thing until you unfocus the PW input, but I can’t remember what it was now. May have been an internal tool at $dayjob, like ExpenseWire or whatever we use for help tickets. I think that’s 150% bizarre.

I believe that most users of the web these days expect their password to be fully hidden, and don’t bat an eyelash at typing it again when registering. It does protect against the rare typo, and thus can offer some peace of mind, and you only end up doing it once per site anyway.

(Sometimes I find myself typing my password twice even when there’s only one box, because I get nervous and assume I made a typo the first time…)

(Nuno Simões) #17


That IE10 “feature” sounds interesting on a security perspective. I wonder if printscreen can capture that temporary-non-password field. :slight_smile:

There’s also another new feature in town for input type=password fields:

“Starting with Internet Explorer 10, input type=password fields will
automatically display a warning if the caps lock is on.”

msCapsLockWarningOff property (Internet Explorer)


(Scott Robertson) #21

Facebook actually show the password field if you get your password wrong a few times.

(Jeff Atwood) #22

Another very interesting related post you should look at @sam

I do not support creating a whole custom control for this at all – not worth the work – but I do think the status quo here is, in a word, bullshit.

(Patrick Westerhoff) #23

I’m surprised this wasn’t mentioned before. We have this awesome site that deals with these kinds of decisions: “Why should we ask the password twice during registration?”