addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobegmailgooglegroupshelp-with-circleimageimagesinstagramlinklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahoo

RE: [ia-55] Enter & Re-enter Password when sign up

From: user 3.
Sent on: Thursday, March 29, 2012 9:11 AM

I’m weighing in a bit late but here’s my 2 cents.


·         A password should never be sent via email, unless it’s temporary and requires a mandatory password change at log in. In fact, the password could be “reset” at the back end, a temporary password sent and the user could just set it to the original with no real security issues.

·         Password confirmation is annoying, but much less so if you typed it in wrong and then had go through password retrieval/reset described above. I think it’s generally a good practice.


On a related note, I wrote a short article on strong passwords and why they can have a negative effect on usability. I am NOT suggesting that users should choose weak passwords, e.g., password. I am only saying that the current trend of long, complex password requirements is onerous with minimal security benefits. I hadn’t considered the password confirmation step in my write up but I don’t think it changes my feelings on the subject. Read it for yourself here, . Feedback encouraged!


It’s funny how the “simple” UX problems can elicit so much discussion!


Sam Reynolds



From: [address removed] [mailto:[address removed]] On Behalf Of Eduardo Favio Angeles
Sent: Wednesday, March 28,[masked]:20 PM
To: [address removed]
Subject: Re: [ia-55] Enter & Re-enter Password when sign up


Indeed. Passwords should never be sent over email... it's like leaving your home keys and home security password on an envelope labeled "house keys and security codes" on the front porch :-p you might as well just call the burglars and throw them a party...


Typing the password twice. That's the way it should be.


Using the email address as your login ID is easy and ensures accounts are unique... pretty standard practice nowadays

On Wed, Mar 28, 2012 at 5:56 PM, Ayleene Yoon Lee <[address removed]> wrote:

As a user, I don't mind entering password two times since I know it's beneficial to me and it reflects that the site cares about the quality of the sign-ups. It's the first impression of the site engagement.


Regarding the email containing the password, that's shocking to hear that and they should change how they handle the sensitive information of the users. 


I noticed that more sites now ask email address only, replacing creating user name during sign-up.


Reddit sign-up module is designed poorly (viewing on my iPhone). There are multiple tasks can be made in that area, but there's no clear UI helping the users' tasks completed easier.




Sent from my iPhone

On Mar 27, 2012, at 3:33 PM, Pat Lang <[address removed]> wrote:

The registered user has the option to add an email to their account in case they need to recover a password. Iike that it's an option and not mandatory. 


-Pat Lang

On Tue, Mar 27, 2012 at 12:56 PM, Yingying <[address removed]> wrote:

Hey Pat, I haven't used, so its good to know. But what can you do if you forget password but want to see previous info? If there is no email address, you will not be able to get your password back

Yingying Zhang -

From: Pat Lang <[address removed]>

Sender: [address removed]

Date: Tue, 27 Mar[masked]:44:22 -0400

To: <[address removed]>

ReplyTo: [address removed]

Subject: Re: [ia-55] Enter & Re-enter Password when sign up


It depends on your site goals and objective on which method is chosen, so neither one is "better".  


I like how does it... Username + 2 password fields, no email required!! No email is key, this encourages users to sign up with multiple accounts and post/comment more freely. For example you can have an account called Mr. Negative. and reply negatively to every post. This, plus the gameification aspects, encourages account creating and contributions. The site traffic reflects this. 


-Pat Lang




On Tue, Mar 27, 2012 at 12:06 PM, Timothy Strimple <[address removed]> wrote:

Yes. It is still wrong. the vast majority of those millions of users dont know anything about security and they are blindly trusting WordPress to be competent in that area.

Having a compromised email was just one of a handful of ways that sending passwords via email is a problem. The others should not be ignored for the sake of convenience.


Sent from my Windows Phone

From: noel saw
Sent: 3/27/2012 9:49 AM
To: [address removed]
Subject: Re: [ia-55] Enter & Re-enter Password when sign up


Timothy, another perspective is that if they've been doing it this way for many years and the core audience of millions of users aren't demanding a "fix" for this method, does it make it "wrong" then?


I agree that sending passwords via email is inherently insecure but what are the alternatives other than forcing users to change their passwords immediately upon initial login? We know most users are going to have their own set of favorite passwords and most people are not going to create strong passwords.


My take is that if someone's email system is compromised, you're pretty much jacked by that point because they can go and perform a password recovery operations at those other sites regardless of whether or not they received a "welcome email" with the password.


On Mon, Mar 26, 2012 at 10:49 PM, Timothy Strimple <[address removed]> wrote:

Just because they are doing it for a long time, doesn't mean that it is right. This is not an opinion to agree or disagree with. It is a fact that it is far less secure to send a user their password in their email.



Some highlights from the link:

·  The email could be intercepted giving someone else the password.

·  Someone could see them open the email on their screen (been at mates houses and had this happen to both of us so many times, and every time is a massive headache to go change all your passwords).

·  The email might be forwarded to other addresses which are not secure.

·  The email might bounce/encounter a server error and then you (perhaps your untrusted staff or outsourced helpdesk too?), and the email server's system admin will probably get copies of the original email.

·  Someone who obtains access to the user's emails through a cookie hijack or even just a briefly unattended open email account will now be able to see their password. Worse, their password is probably used elsewhere (or at least has a common stem, e.g. "password1", "password1$$" "passwordSuperSecure123") so you've now compromised more than just your own service. Worse still, it might be the password to the email account that's been hijacked and now they can steal this person's email account and thus identity for a much longer time than the expiry date on the cookie/session. (This has all happened to people I know).


The fact that they are able to send you an email with the password is also a strong indicator that they are not storing passwords correctly. Passwords should be salted and hashed when stored in the database and it should be impossible for you to determine the original password from the values in the database. 



On Mon, Mar 26, 2012 at 10:27 PM, noel saw <[address removed]> wrote:

Tim, I respectfully disagree but WordPress, one of the world's most popular CMS has been sending user password for new account notifications via emails for many, many years.


On Mon, Mar 26, 2012 at 10:15 PM, Timothy Strimple <[address removed]> wrote:

Please, never send the user the password they entered in an email. It's acceptable to send a temporary password via email as long as the user is required to change it on their next login.


Some sites I have used are asking for just an email to create an account, and there is a link that gets emailed to you to finish creating your profile. This lets you confirm the users email before the account is created, which means you have a reliable way of resetting a password if the user mistypes it. Thus it would be okay to just ask for a single password and skip the confirmation since there is a means to recover.




On Mon, Mar 26, 2012 at 10:02 PM, noel saw <[address removed]> wrote:

I think it's an effort towards streamlining the account creation process. Some might call it part of "on-boarding" users as much as possible. 


A lot of sites now send "welcome" emails with the user's credentials including passwords as a reminder in case they mis-typed the password originally.


For my own projects, I am employing the single password field.


On Mon, Mar 26, 2012 at 9:40 PM, Yingying <[address removed]> wrote:

Christine, thanks! My company uses password/confirm too. Actually, this Readability website is the first one I've noticed using a single field. So I am wondering what reason makes them eliminated the other one:)


On Mon, Mar 26, 2012 at 9:28 PM, Christine Tran <[address removed]> wrote:

Hi Yingying,


My company does request a password/confirm password upon signup as part of the Drupal module we use. Though our developers have said we can automate the second password field on the back end (only requiring the user to type a password once), but as you mentioned, I believe doing it twice avoids user typos that could cause later logins to be frustrating.



CHRISTINE E. TRAN · (773)[masked] · @tranxtine

On Mon, Mar 26, 2012 at 9:17 PM, Yingying

Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
This message was sent by Ayleene Yoon Lee ([address removed]) from The Los Angeles User Experience Meetup.
To learn more about Ayleene Yoon Lee, visit his/her member profile
Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]



Eduardo Favio ANGELES

Cell - (909)[masked]
"Stay Hungry. Stay Foolish." - Steve Jobs


Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
This message was sent by Eduardo Favio Angeles ([address removed]) from The Los Angeles User Experience Meetup.
To learn more about Eduardo Favio Angeles, visit his/her member profile
Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]

No virus found in this message.
Checked by AVG -
Version:[masked] / Virus Database: 2114/4894 - Release Date: 03/25/12

Our Sponsors

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy