addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscontroller-playcrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobegmailgooglegroupshelp-with-circleimageimagesinstagramFill 1light-bulblinklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonprintShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahoo

Re: [ia-55] Enter & Re-enter Password when sign up

From: Aaron Y.
Sent on: Thursday, March 29, 2012 11:02 AM
My two cents: never email passwords except temporary passwords to be reset shortly, "Confirm password" fields are annoying but useful (especially for more complex passwords).

On the topic of email addresses, what does everyone think of "Confirm email" fields? Personally, I know how to type my email, and it shows up in plaintext, so I dislike these confirmation fields.
I usually type my email once, Ctrl+A Ctrl+C, tab into the confirmation field, Ctrl+V. So much for typo-avoidance.

On Wed, Mar 28, 2012 at 18:20, Eduardo Favio Angeles <[address removed]> wrote:
Indeed. Passwords should never be sent over email... it's like leaving your home keys and home security password on an envelope labeled "house keys and security codes" on the front porch :-p you might as well just call the burglars and throw them a party...

Typing the password twice. That's the way it should be.

Using the email address as your login ID is easy and ensures accounts are unique... pretty standard practice nowadays

On Wed, Mar 28, 2012 at 5:56 PM, Ayleene Yoon Lee <[address removed]> wrote:
As a user, I don't mind entering password two times since I know it's beneficial to me and it reflects that the site cares about the quality of the sign-ups. It's the first impression of the site engagement.

Regarding the email containing the password, that's shocking to hear that and they should change how they handle the sensitive information of the users. 

I noticed that more sites now ask email address only, replacing creating user name during sign-up.

Reddit sign-up module is designed poorly (viewing on my iPhone). There are multiple tasks can be made in that area, but there's no clear UI helping the users' tasks completed easier.

Sent from my iPhone

On Mar 27, 2012, at 3:33 PM, Pat Lang <[address removed]> wrote:

The registered user has the option to add an email to their account in case they need to recover a password. Iike that it's an option and not mandatory. 

-Pat Lang

On Tue, Mar 27, 2012 at 12:56 PM, Yingying <[address removed]> wrote:
Hey Pat, I haven't used, so its good to know. But what can you do if you forget password but want to see previous info? If there is no email address, you will not be able to get your password back
Yingying Zhang -

From: Pat Lang <[address removed]>
Sender: [address removed]
Date: Tue, 27 Mar[masked]:44:22 -0400
To: <[address removed]>
ReplyTo: [address removed]
Subject: Re: [ia-55] Enter & Re-enter Password when sign up

It depends on your site goals and objective on which method is chosen, so neither one is "better".  

I like how does it... Username + 2 password fields, no email required!! No email is key, this encourages users to sign up with multiple accounts and post/comment more freely. For example you can have an account called Mr. Negative. and reply negatively to every post. This, plus the gameification aspects, encourages account creating and contributions. The site traffic reflects this. 

-Pat Lang

On Tue, Mar 27, 2012 at 12:06 PM, Timothy Strimple <[address removed]> wrote:
Yes. It is still wrong. the vast majority of those millions of users dont know anything about security and they are blindly trusting WordPress to be competent in that area.

Having a compromised email was just one of a handful of ways that sending passwords via email is a problem. The others should not be ignored for the sake of convenience.


Sent from my Windows Phone

From: noel saw
Sent: 3/27/2012 9:49 AM
To: [address removed]
Subject: Re: [ia-55] Enter & Re-enter Password when sign up

Timothy, another perspective is that if they've been doing it this way for many years and the core audience of millions of users aren't demanding a "fix" for this method, does it make it "wrong" then?

I agree that sending passwords via email is inherently insecure but what are the alternatives other than forcing users to change their passwords immediately upon initial login? We know most users are going to have their own set of favorite passwords and most people are not going to create strong passwords.

My take is that if someone's email system is compromised, you're pretty much jacked by that point because they can go and perform a password recovery operations at those other sites regardless of whether or not they received a "welcome email" with the password.

On Mon, Mar 26, 2012 at 10:49 PM, Timothy Strimple <[address removed]> wrote:
Just because they are doing it for a long time, doesn't mean that it is right. This is not an opinion to agree or disagree with. It is a fact that it is far less secure to send a user their password in their email.

Some highlights from the link:
  • The email could be intercepted giving someone else the password.
  • Someone could see them open the email on their screen (been at mates houses and had this happen to both of us so many times, and every time is a massive headache to go change all your passwords).
  • The email might be forwarded to other addresses which are not secure.
  • The email might bounce/encounter a server error and then you (perhaps your untrusted staff or outsourced helpdesk too?), and the email server's system admin will probably get copies of the original email.
  • Someone who obtains access to the user's emails through a cookie hijack or even just a briefly unattended open email account will now be able to see their password. Worse, their password is probably used elsewhere (or at least has a common stem, e.g. "password1", "password1$$" "passwordSuperSecure123") so you've now compromised more than just your own service. Worse still, it might be the password to the email account that's been hijacked and now they can steal this person's email account and thus identity for a much longer time than the expiry date on the cookie/session. (This has all happened to people I know).

  • The fact that they are able to send you an email with the password is also a strong indicator that they are not storing passwords correctly. Passwords should be salted and hashed when stored in the database and it should be impossible for you to determine the original password from the values in the database. 


    On Mon, Mar 26, 2012 at 10:27 PM, noel saw <[address removed]> wrote:
    Tim, I respectfully disagree but WordPress, one of the world's most popular CMS has been sending user password for new account notifications via emails for many, many years.

    On Mon, Mar 26, 2012 at 10:15 PM, Timothy Strimple <[address removed]> wrote:
    Please, never send the user the password they entered in an email. It's acceptable to send a temporary password via email as long as the user is required to change it on their next login.

    Some sites I have used are asking for just an email to create an account, and there is a link that gets emailed to you to finish creating your profile. This lets you confirm the users email before the account is created, which means you have a reliable way of resetting a password if the user mistypes it. Thus it would be okay to just ask for a single password and skip the confirmation since there is a means to recover.


    On Mon, Mar 26, 2012 at 10:02 PM, noel saw <[address removed]> wrote:
    I think it's an effort towards streamlining the account creation process. Some might call it part of "on-boarding" users as much as possible. 

    A lot of sites now send "welcome" emails with the user's credentials including passwords as a reminder in case they mis-typed the password originally.

    For my own projects, I am employing the single password field.

    On Mon, Mar 26, 2012 at 9:40 PM, Yingying <[address removed]> wrote:
    Christine, thanks! My company uses password/confirm too. Actually, this Readability website is the first one I've noticed using a single field. So I am wondering what reason makes them eliminated the other one:)

    On Mon, Mar 26, 2012 at 9:28 PM, Christine Tran <[address removed]> wrote:
    Hi Yingying,

    My company does request a password/confirm password upon signup as part of the Drupal module we use. Though our developers have said we can automate the second password field on the back end (only requiring the user to type a password once), but as you mentioned, I believe doing it twice avoids user typos that could cause later logins to be frustrating.

    CHRISTINE E. TRAN · (773)[masked] · @tranxtine

    On Mon, Mar 26, 2012 at 9:17 PM, Yingying

    Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
    This message was sent by Ayleene Yoon Lee ([address removed]) from The Los Angeles User Experience Meetup.
    To learn more about Ayleene Yoon Lee, visit his/her member profile
    Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

    Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]

    Eduardo Favio ANGELES
    Cell - (909)[masked]
    "Stay Hungry. Stay Foolish." - Steve Jobs

    Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
    This message was sent by Eduardo Favio Angeles ([address removed]) from The Los Angeles User Experience Meetup.
    To learn more about Eduardo Favio Angeles, visit his/her member profile

    Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

    Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]

    Our Sponsors

    People in this
    Meetup are also in:

    Sign up

    Meetup members, Log in

    By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy