homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Accessibility and Usability
Forum Library, Charter, Moderators: ergophobe

Accessibility and Usability Forum

The number of password fields to use
One or Two?

 9:28 am on Aug 31, 2007 (gmt 0)

I'm having an interesting discussion (read: argument!) here about the number of password fields to use so I thought that I'd get some more opinions.

We have a feature where users can enter login credentials for systems (for example a username and a password is entered for a server which is stored on our system). I am saying that there should be 2 password input fields to trap users mistyping the password, the other side of the argument is that there should only be one. The user can then test what they have done and see if it works (our system allows users to test the credentials by trying to log into the target system).

I say that this is extra work and surely it's easier to make sure that the user has entered the correct password by making them enter it twice.

Which side of the argument are you? Why?



 10:35 am on Aug 31, 2007 (gmt 0)

If it's a persistent setting, then twice.

If it's an immediate, one-time login, then once.

Just my $0.02.


 5:45 pm on Aug 31, 2007 (gmt 0)

I say that this is extra work and surely it's easier to make sure that the user has entered the correct password by making them enter it twice.

And what would those ways be?


 8:46 pm on Sep 2, 2007 (gmt 0)

How about entering the password once, then testing it automagically before it is stored, re-displaying the form with error message if incorrect?


 1:39 pm on Sep 5, 2007 (gmt 0)

Thanks for the replies!

There seems to be a divided opinion on this, with pros and cons on both sides. For example, one pro of the double entry system is that if the credential does not work the user is more confident that the error is due to the credential being invalid rather than it being a mistype.

I'm leaning towards a third option. That is:

  1. A single password field,
  2. A checkbox that the user can click which displays the password that they have entered,
  3. An immediate test of the credentials is performed.

(1) addresses Duncanís concerns that people get annoyed entering things twice and may just make the same type in both cases.

(2) has been inspired by Apples Wireless password entry system and will allow the user to check that the password if they feel that they may have made a typo. This would be a JavaScript function that converts the password filed to a clear text input field. Un-checking converts it back. Iím toying with the idea of having a timeout on this (with a visible countdown) to convert it back to address any security concerns.

(3) will check that the credential is actually valid and alert the user straight away that there is a problem (without them having to run a report or specifically hit the Test button).

[edited by: BlobFisk at 1:59 pm (utc) on Sep. 5, 2007]


 4:11 pm on Sep 5, 2007 (gmt 0)

Hi Blob;

I appreciate your interest in trying to make a user friendly system, I think you will just end up frustrating more people than helping them.

Login system are so standardized - everyone expects 2 fields: username and password. If you make any changes, you risk confusing people who probably login to multiple systems daily.


 6:51 pm on Sep 5, 2007 (gmt 0)

There seems to be some confusion here, and I'll be the first to admit that I'm one of the ones confused.

Let me see if I can restate the problem as I understand it:

1. We're talking about the user initially setting up their account here, NOT users logging-in to existing accounts.

2. The question is: go with the "standard" of requiring the user to enter the same password in two fields, to help prevent typos and misspellings, or instead to require the password be entered only once, but then immediately verify by going through a "login check".

The way the question is stated is a bit confusing, because it doesn't explicitly state that we're talking about the user initially setting-up their account, and it also implies that using the alternative, the user only has to enter the password once.

As I understand it, the proposed alternative still requires the user to enter the password twice but not on the same page, and - the second time - the system will do a log-in check and/or actually log the user in. So, they get immediate feedback that the credentials are now stored in the system, and were correctly entered.

A key feature, it would seem to me, is that if the login-check or actual login fails, the user is able to correct their password without having to start the whole process over again. (Possibly abandoning a user ID and having to choose a new one.)

Am I getting this right?

Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Accessibility and Usability
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved