It's like all these sites that requires you to enter your current password before you can change it, but deleting the entire account is just ticking a check box (at least twitter and dribbble worked this way back when I had accounts there).
Some things we been doing for so long that we forget why we do them at all.
Or ones that make you confirm an e-mail address by entering it twice.
The reason you confirm a password is because you can't see the password, and so you never know if you mistyped it. Confirming an e-mail address, in a normal text field, is just stupid busywork.
It does seem that way when you're a skilled typist, but I recall reading an article about a year ago where they discovered that forcing the average user to re-enter their email significantly improved their rate of invalid emails (e.g. not detectable by a regex, like jhonsmith@gmail.com or johnsmith@gamil.com).
A feature like this should probably be considered based on the expected type of user vs. the convenience of signing up quickly. Non-technical users where there isn't a significant dropoff from the signup form => probably a good idea.
I was not talking about retyping the new password, but about requesting the old password before you can change it. The reason you do this is because even if you theoretically could hijack the session, you still can not hijack the account. But the priority seems a bit off when the password is more important then the account, which makes you believe that the people behind the sites only added the extra password validation because they seen it every where else, and not because they understand the principle behind it.
Exactly. The original commenter's point is that they prevent someone from changing your password, but they don't prevent that person from deleting your account.
Or when you enter bad login info, and the site doesn't tell you if it was your email or your password. But on the reset password form it tells you when you put a bad email in.
Well, that's usually a security feature so that hackers can't harvest valid accounts by trying e-mail addresses and seeing what the error message is. It's stupid if they can do that anyway via the password reset form, though (although presumably, if you get the password reset e-mail you'll have an idea that someone else is trying to access your account).
Or the reset password form can simply say an email has been sent to the relevant address, regardless of whether said address actually exists in their database. I've always suspected this is how most of them work.
It is a protection against typos, because people are lazy and error-prone and it matters because getting it wrong means email delivery fails, whereas a misspelled name is no big deal.
So, elegantly, two different issues use the same simple solution.
It's not elegant at all - it makes the user do extra work at signup. Wasn't there an interesting blog post on HN about 5 years ago that showed that each additional field you add to the registration form cuts sign-ups in half?
The better solution is to send an e-mail with a confirmation link upon signup. This also protects against deliberately falsified e-mails, and against typing it incorrectly twice, and against folks who automatically copy & paste when they see "Confirm your..." And it's only a tab switch and click rather than having to key in a few dozen characters, which matters even more in the brave new mobile/tablet world.
I believe that extra field thing is correct. However I don't think your solution is really great either, by forcing the user to confirm their email before continuing your are interrupting their flow. In some cases when I've had this and the email has been delayed by even a few minutes I haven't bothered coming back.
Edit: Sorry I kind of misread your comment, but what I said is half relavent. None of the protections you state you get without forcing them to click the link before continuing.
Yeah, confirmation e-mails suck from a UX perspective. However, they don't gratuitously suck - they solve the problem they're trying to solve, and often users can tell why they're necessary. Extra form fields suck from a UX perspective and have the added problem of not actually solving the problem they're trying to solve.
Some things we been doing for so long that we forget why we do them at all.