: Why do websites require retyping the password upon user error in a registration form? Many times, when you fill out a registration form and miss a required field, the form reloads with all

@Alves908

Simply put, this is for better security. In order to store data on the form that has already been typed, it's going to be stored by a script to a session variable or appended to a referred link. You don't want to store password data this way. The data can often be easily intercepted or spoofed, so it's best practice not to do this.

Is it possible to do this, yes...but you shouldn't. Plus, most browsers (if configured to store form data), will simply remember a regular input field, keeping that data stored across browsing sessions...but they'll ignore password-type input fields by default.

As an added benefit, it also helps the user to remember the password they typed, by having to do it more than just once or twice. As annoying as it may be, until a better method is more widely accepted and accessible, this is typically how it's going to be done.

Vote Up Vote Down

@Welton855

It's a security measure on so many levels!!!


I. Typing it twice is to make sure you entered it correctly!


What if you entered it just once, made a typo and didn't notice?
The site might have a ToS preventing multiple accounts for the same person/email!
You might never be able to login to that account/website ever again!


II. Passwords should NEVER be stored in cleartext, nor encoded/encrypted but in a 1 way hash! [ref. CWE-257]



Server-wise: The server can't give you 'back' what you typed because by the time you get the error page the password is either not processed or already hashed or it shouldn't be stored in a format that you can get 'back'.
Client-wise: It's also not a good practice to store the password in a retrievable format in any way (js/cookie/etc)


Final considerations: the password should be known only to you! and it should exist in it's 'true' form only in your head!

Vote Up Vote Down

@Tiffany637

The only real reason I see for clearing the password form on a required field failure - is that it prevents the user from updating "just fixing the one field and submitting the data"

The mindset I have to this is that : If the form is designed well and obviously enough attention was spent in the pre-processing sub action coding ---- then if someone still missed a required field, other data may be incorrect.

Wiping the password field is a way to give the user a forced pause to not just add in the required data but also gives them the opportunity to (hopefully) verify the rest of their information on the form.

Security wise - this doesn't really provide much unless someone hit submit on a public computer and immediately left the computer before the oversight was detected and the user (now absent) is prompted to fill in the offending field.

Little to no security benefit - mostly just a way to hopefully prod the user to verify information before they submit again.

-my take on it.

Vote Up Vote Down

@Sarah324

It's a trade-off between a security measure and the requirement for data capture - if a user has gone to the trouble of registering their details with you, it is not a good idea to have to make them re-enter each form field. They are as likely to abandon the registration process. It's much easier just to make them simply re-type the password twice, which of course protects them from nothing, but gives an added sense of security to the unwary.
Depending on your level of need for registered users, either clear the form or just the password fields. Clearing the whole form provides slightly better security.

Vote Up Vote Down