

Confirming Passwords Is Annoying: Is There a Better Way? - tiffani
http://konigi.com/notebook/confirming-passwords-annoying-there-better-way

======
patio11
I simply don't confirm the password (or email). The overwhelming majority of
people are going to type it properly, as substantiated by my failed login
stats (less than 1%). For the remaining 1%, I'll concentrate on recovering
from their error easily rather than depressing conversion among ALL users by
making the signup form two fields longer. (And, _ahem_ , if all of them were
to get frustrated and abandon their trial, well, _1%_.)

Edited to add: Context for why that number is so low: The vast majority of my
trial users are up-or-out within 3 days, and since I default to setting a 2
week "remember me" cookie, typically only my most interested users ever have
to type their password ever again.

By the way, you would be _astonished_ how many users I have think they cannot
type their school email address from their home computer and vice versa.

~~~
netcan
Combine this with JulianMorrison's suggestion (don't do the ####) & I think
this a good approach.

~~~
pushingbits
Back in the day when I wasn't using keepass and just had 2-4 passwords I
regularly used (one for sites I considered safe... and then a couple more for
unsafe sites), I found that seeing my password in plain text on the screen was
really unsettling. Even if I was home alone and there was no chance of anyone
looking over my shoulder, it just felt so... unsafe.

I wonder if other people have a similar reaction.

Might be better to make users type in the password a second time rather than
give them a queasy feeling in the pit of their stomach.

------
jeff18
Please post the original article (<http://www.viget.com/advance/password-
fields-are-annoying/>) instead of a blog post that does nothing but link to
it.

------
JulianMorrison
Don't do #######

Don't ask for confirmation.

Solved.

(The ####### protects against someone peeking over their shoulder the exact
instant they register, who wants to steal their password. It's not really very
plausible and certainly not worth the hassle.)

------
blasdel
Having to type your password twice is a major cue that the action you're
taking is to register a new account, not sign in to an existing one.

Some friction is necessary -- if you make it _too easy_ the user won't be sure
of what they're doing.

------
ojbyrne
If, first, we could rid the world of the many many sites out there that
actually make you type your email or username twice, the world would be vastly
improved. Not that the article isn't interesting.

~~~
jeff18
That's what I thought, but on my site, I'd say about 5% of people make a typo
on their email address. Now I am probably going to join the "confirm email"
club.

~~~
thwarted
But does typing the email address twice, on the same form a mere 20 pixels
from where you previously typed in full view of the previous entry, actually
bring out corrections? If you mistype it the same way twice, you may not
notice that you mistyped it, as both fields will look the same. For password
fields, where the input is hidden/obscured, the double entry makes some sense
(ignoring the UI issues/possibilities outlined in the OP), but with email
addresses, it seems less so. I'd be interesting in hearing stats after you
make a change.

Also, are the typos you've seen more often in the LHS or the RHS (of the @) in
the email address? The RHS is relatively easy to spot check, by doing an MX
and A DNS lookup to see if the domain exists -- you'll check actual delivery
later. I've found this to be more robust than regular expressions that attempt
to "validate" email addresses (see HN postings from earlier today) and assume
a fixed size on the RHS, and are often overly aggressive in trying to detect
"illegal" characters on the LHS, like +, which is not actually an illegal
character.

------
brandon
Ripped shamelessly from the comments on the post, I thought this was pretty
neat:

<http://foxxtrot.github.com/Chroma-Hash/>

However, I don't see how it's more effective than a callout or alert noting
"these don't match" ... just less annoying and way sexier.

~~~
thwarted
This has shades Lotus Notes hieroglyphics logins, but potentially much better.

[http://www.coderjournal.com/2008/02/lotus-notes-aol-
corporat...](http://www.coderjournal.com/2008/02/lotus-notes-aol-corporate-
world/)

<http://www.encode-sec.com/pdf/esa0101.pdf>

------
catweasel
One option might be to not ask for a password at all and auto generate it.
Most sign ups include some form of confirmation email, perhaps a password
could be sent with it? Not appropriate for every app but registration with
nothing more than email address is getting as stripped down as possible.

------
petercooper
Yeah, use 1Password and let it generate a strong password and fill in the
forms for you. Can't say it quite changed my life but it's been the most
useful piece of software I've bought all year.

------
tree5
I can't tell you how many times I've tried logging into HN using the signup
form (which, of course, doesn't ask for your password confirmation). The
password confirmation, I think, has become a necessary input field to let
users instantly recognize and know that they're signing up for an account.
Qwerty keyboards, for example, aren't the most efficient way to type, but the
layout has become so ingrained into our brains that we can't imagine any other
way to type.

