Dec 2, 2009Should we confirm passwords?
Those "extra" fields developers add to forms, are they to annoy us or do they really have a purpose that ordinary people do not see? I have mixed feelings about this extra field.
I was surfing the web while on Thanksgiving break, and came across Lee Munrue's website. Now, I've been there before but I've never read his article on confirming passwords. It was interesting to me because about an hour before reading the article I was closing down Coda, after working on the users section to Articulate Articles, in which I include a confirm new password field.
Side One - The Negative
There's two sides to this story. I'll first focus on the negative. Lee points out that this field is just an extra field that causes a user to spend more time on your form than maybe they want.
For me, I don’t think you do need to confirm your password. It’s an extra field to fill in therefore it takes extra time to complete sign up, so the more fields there are to complete the more I’ll think twice about signing up.
Personally, I don't mind filling in an extra field for my password. I remember one time while signing up for Iconator (for the fourth time probably) that I misspelled my password. Even though they have a confirm password box, I just copied and pasted my password in. DO NOT DO THIS. I have learned my lesson and never copy and paste my passwords any longer.
I don't know about you guys, but the one time when I hate to fill in my password twice is when you chose a "username that is already taken". This bothers me to no end when a website makes you fill in your password four or more times because they didn't add a "check your username availability" option. This statement is a little hypocritical because I do the same thing. 
Another thing that doesn't really bother me, but takes another minute or so for a confirmation field, is the processing on the back-end. It usually doesn't take that long, but does add another two to three lines of coding. I did however finally pick up a trick for checking two passwords (or really anything). Instead of checking both passwords for every little thing (empty, valid format, right length, etc), you check one and then check if the two are identical.
I know, I know, you are probably thinking to yourself, "why wouldn't he think of that?!" To that, I have no answer besides I just never thought of it. Assuming you wanted to do this with two password fields in PHP, you could do this:
<?php
// Old, "bad" way.
if (empty($_POST['password']) || !valid_password($_POST['password']) || empty($_POST['password2']) || !valid_password($_POST['password2']) || $_POST['password'] != $_POST['password2']) exit('Passwords must be valid and identical.');
// New, "better" way.
if (empty($_POST['password']) || !valid_password($_POST['password']) || $_POST['password'] != $_POST['password2']) exit('Passwords must be valid and identical.');
?>
Side Two - The Positive
When I originally read the title of the post, I thought of exactly what Lee wrote:
A password field will be starred out i.e. you don’t see what you’re typing, which means you could easily make a mistake and submit the wrong password without knowing.
As you know, I've fallen victim to this and know that other people have. Now, let me tell you something. Before I started reading the article, I was dead set on having a confirmation field. Up to the above paragraph, I was still dead set on a confirmation field, but once Lee pointed out his next bit of information...
This is where the ‘Forget your password‘ function comes in handy, which is an inconvenience but will have you up and running again with your old/new password in a couple of minutes.
...I started to think of whether or not I should really have that second field? He did make a good point in that the "Forget Your Password?" option almost solves the problem of having a confirmation field. However, this now raises the question of what should the forget your password ask from a user to send them the new password? In most cases it's the email the user signed up with, but sometimes the developer wants the user to enter a security question and answer (WHICH I HATE DOING). That now adds two other fields.
As you can see, I have mixed feelings about the inclusive of the second password/email/whatever field. There are both good and bad points to each side of the argument. I guess it depends on the complexity of the program/application and the personal preference of the developer.
I would love to hear what your thoughts on the matter are. If you were developing, say a social media website for the Wii (like Raptr), would you make users enter their password twice when they register?
It all depends on the audience. If the site was more geared toward tech-related people, I wouldn't add it, due to the fact that us techie-types normally have good typing skills. But for a broader audience with lesser typing skills, I would add the extra field.
Personally, I hate having to type my password a second time, especially since my passwords are 15-20 characters long.
Ethan Dec. 2nd, 2009
Lee made a great point about Forget Password, and I can totally identify with you regarding security questions. Personally, I think those fields are old
Still, in my own point of view, I'm perfectly fine with typing my password twice since I'm so prone to typos.
Also, have you read Chris Coyier's article on iPhone-style password fields? While it won't be accessible to everybody (I do believe it requires some JavaScript magic), it's still a very nifty idea: briefly display the last character you typed. That way I could see if I typed a password right, and anyway if the password I'm entering is really sensitive, I shouldn't be entering it in a public setting in the first place
BoltClock Dec. 2nd, 2009
I disagree with Ethan... being "techie" absolutely does not equal good typing skills.
I like having the confirm password box, because I get paranoid that I'm going to type it wrong. If anyone is really that worked up about it, I can't help but think they're kind of lazy.
Clem Dec. 2nd, 2009
It actually takes me about the same amount of time to sign up either way -- if there's no password confirmation, then I type my password slowly/carefully the first time to make sure I get it right. If there IS a confirmation field, I'm guessing it takes me the same amount of time to type it twice at a regular/fast speed.
Kaylee Dec. 2nd, 2009
I'm on the team that says "we should have a confirm password field"
(I don't think we should have a confirm email field, though, because I can SEE what I'm typing in that field, so if I screw up I can just go back and fix it...)
I do hate it when I have to fill it out AGAIN because I missed some other field or made a mistake somewhere or my username is already taken, though, like you mentioned. They should just take you to a new screen where only the fields that you screwed up have to be filled out...
Rose Dec. 3rd, 2009
I think it's a good idea depending on the situation. If it's for something that you cannot manually change the password for, then yes. If it's for something that you can change the password, then it's not necessary. We all make mistakes, and typos are inevitable. So I think it's more important than not.
Anthony Dec. 3rd, 2009
I don't really mind the 'confirm' field. It's like 2 seconds that occur subconsciously. I've never really thought of it as a bother. But sometimes it does get me a little ticked off when I get the confirm or the first field incorrect, then I have to redo it.
Jaylin Dec. 3rd, 2009