 |
| We'll need that password again... |
It's so much of a standard that whenever I create a for for users to edit their details (the password being among those details) I always have an extra field for the user to repeat the password, with the required validations. It's reflexive by now, and not once over the years have I ever thought to ask why.
Until now, that is.
That's a good question, though. Why this feature, and why not? Let's break it down.
Why this feature?
Well, for one, password entries tend to be masked. Therefore, users may misspell their initial choice of password. The Caps Lock key might have been on, or something. They keyboard might be jammed. Hey, not everyone can type stuff with 100% accuracy while blindfolded, OK?! |
| Typing while blindfolded. |
Therefore, putting in a confirmation field helps ascertain that, yes, the user absolutely meant to key in "i_k1cK_@$$!556677".
The second reason I'm about to name, is a bit of a circular argument. As mentioned earlier, this UI pattern has been in use since... forever. Which means that users are comfortable with it by now. It's, despite its flaws, an established part of the process. People generally want to stick with established patterns instead of figuring new shit out.
I'm only including the reason above because legacy inertia is legitimate grounds where UI and UX are concerned. As a techie, I despise the argument that we should continue bad practices simply because it's the way we've always done things.
Why not?
There's a whole host of reasons not to do it.While an extra confirmation field might help the user avoid typos, there's nothing stopping the user from copy-pasting passwords. This feature may also drive users to use overly simple passwords instead. Never underestimate the lengths users will go to, to make life easier for themselves. All of which make a system less secure, not more.
.jpg) |
| Copy-pasting. |
An extra field adds overhead. Not only is there more data to input, there is more data validation to cover. We have to check that the field is not empty, matches the previously typed password, and so on. All in return for the dubious value of helping ensure users didn't mistype their chosen password.
And of course, from the user's point of view, one extra field, masked and with extra validations, is just more inconvenience. Although, in the case of security, anything that adds security almost always inconveniences the user to some degree.
All in all
What's the solution for this? There's no one single unified solution thus far. Some platforms prefer the tried-and-tested way. Other platforms prefer the visibility toggle on the password field so that users can see what they typed, if they so chose, with no extra field. With time, an eventual standard should emerge.
r3g@rd$!!12345,
T___T
T___T
No comments:
Post a Comment