As a user, I don't mind entering password two times since I know it's beneficial to me and it reflects that the site cares about the quality of the sign-ups. It's the first impression of the site engagement.
Regarding the email containing the password, that's shocking to hear that and they should change how they handle the sensitive information of the users.
I noticed that more sites now ask email address only, replacing creating user name during sign-up.
Reddit sign-up module is designed poorly (viewing on my iPhone). There are multiple tasks can be made in that area, but there's no clear UI helping the users' tasks completed easier.
Sent from my iPhone
On Mar 27, 2012, at 3:33 PM, Pat Lang <[address removed]> wrote:
The registered user has the option to add an email to their account in case they need to recover a password. Iike that it's an option and not mandatory.
On Tue, Mar 27, 2012 at 12:56 PM, Yingying <[address removed]>
Hey Pat, I haven't used Reddit.com, so its good to know. But what can you do if you forget password but want to see previous info? If there is no email address, you will not be able to get your password back
From: Pat Lang <[address removed]>
Sender: [address removed]
Date: Tue, 27 Mar[masked]:44:22 -0400
To: <[address removed]>
ReplyTo: [address removed]
Subject: Re: [ia-55] Enter & Re-enter Password when sign up
It depends on your site goals and objective on which method is chosen, so neither one is "better".
I like how Reddit.com
does it... Username + 2 password fields, no email required!! No email is key, this encourages users to sign up with multiple accounts and post/comment more freely. For example you can have an account called Mr. Negative. and reply negatively to every post. This, plus the gameification aspects, encourages account creating and contributions. The site traffic reflects this.
On Tue, Mar 27, 2012 at 12:06 PM, Timothy Strimple <[address removed]>
Yes. It is still wrong. the vast majority of those millions of users dont know anything about security and they are blindly trusting WordPress to be competent in that area.
Having a compromised email was just one of a handful of ways that sending passwords via email is a problem. The others should not be ignored for the sake of convenience.
Sent from my Windows Phone
From: noel saw
Sent: 3/27/2012 9:49 AM
To: [address removed]
Subject: Re: [ia-55] Enter & Re-enter Password when sign up
Timothy, another perspective is that if they've been doing it this way for many years and the core audience of millions of users aren't demanding a "fix" for this method, does it make it "wrong" then?
I agree that sending passwords via email is inherently insecure but what are the alternatives other than forcing users to change their passwords immediately upon initial login? We know most users are going to have their own set of favorite passwords and most people are not going to create strong passwords.
My take is that if someone's email system is compromised, you're pretty much jacked by that point because they can go and perform a password recovery operations at those other sites regardless of whether or not they received a "welcome email" with the password.
On Mon, Mar 26, 2012 at 10:49 PM, Timothy Strimple <[address removed]>
Just because they are doing it for a long time, doesn't mean that it is right. This is not an opinion to agree or disagree with. It is a fact that it is far less secure to send a user their password in their email.
Some highlights from the link:
The email could be intercepted giving someone else the password.
Someone could see them open the email on their screen (been at mates houses and had this happen to both of us so many times, and every time is a massive headache to go change all your passwords).
The email might be forwarded to other addresses which are not secure.
The email might bounce/encounter a server error and then you (perhaps your untrusted staff or outsourced helpdesk too?), and the email server's system admin will probably get copies of the original email.
Someone who obtains access to the user's emails through a cookie hijack or even just a briefly unattended open email account will now be able to see their password. Worse, their password is probably used elsewhere (or at least has a common stem, e.g. "password1", "password1$$" "passwordSuperSecure123") so you've now compromised more than just your own service. Worse still, it might be the password to the email account that's been hijacked and now they can steal this person's email account and thus identity for a much longer time than the expiry date on the cookie/session. (This has all happened to people I know).
The fact that they are able to send you an email with the password is also a strong indicator that they are not storing passwords correctly. Passwords should be salted and hashed when stored in the database and it should be impossible for you to determine the original password from the values in the database.
On Mon, Mar 26, 2012 at 10:27 PM, noel saw <[address removed]>
Tim, I respectfully disagree but WordPress, one of the world's most popular CMS has been sending user password for new account notifications via emails for many, many years.
On Mon, Mar 26, 2012 at 10:15 PM, Timothy Strimple <[address removed]>
Please, never send the user the password they entered in an email. It's acceptable to send a temporary password via email as long as the user is required to change it on their next login.
Some sites I have used are asking for just an email to create an account, and there is a link that gets emailed to you to finish creating your profile. This lets you confirm the users email before the account is created, which means you have a reliable way of resetting a password if the user mistypes it. Thus it would be okay to just ask for a single password and skip the confirmation since there is a means to recover.
On Mon, Mar 26, 2012 at 10:02 PM, noel saw <[address removed]>
I think it's an effort towards streamlining the account creation process. Some might call it part of "on-boarding" users as much as possible.
A lot of sites now send "welcome" emails with the user's credentials including passwords as a reminder in case they mis-typed the password originally.
For my own projects, I am employing the single password field.
On Mon, Mar 26, 2012 at 9:40 PM, Yingying <[address removed]>
Christine, thanks! My company uses password/confirm too. Actually, this Readability website is the first one I've noticed using a single field. So I am wondering what reason makes them eliminated the other one:)
On Mon, Mar 26, 2012 at 9:28 PM, Christine Tran <[address removed]>
My company does request a password/confirm password upon signup as part of the Drupal module we use. Though our developers have said we can automate the second password field on the back end (only requiring the user to type a password once), but as you mentioned, I believe doing it twice avoids user typos that could cause later logins to be frustrating.
CHRISTINE E. TRAN · (773)[masked] · @tranxtine
On Mon, Mar 26, 2012 at 9:17 PM, Yingying