Mobile app version of vmapp.org
Login or Join
Ogunnowo487

: Why do websites require retyping the password upon user error in a registration form? Many times, when you fill out a registration form and miss a required field, the form reloads with all

@Ogunnowo487

Posted in: #Forms #Javascript #Password #Security

Many times, when you fill out a registration form and miss a required field, the form reloads with all the fields filled out except for the password which you have to retype.

I'm wondering if I should do the same. I really prefer not to, because as a user I'm very annoyed by the need to retype the password.

Is it a security measure? What does it protect from?

EDIT: Helping the user remember the password is important, but does not answer the question. Most forms have two password fields anyway, and I see no reason to make the user type the password 4 or 6 times instead of 2.

10.04% popularity Vote Up Vote Down


Login to follow query

More posts by @Ogunnowo487

4 Comments

Sorted by latest first Latest Oldest Best

 

@Alves908

Simply put, this is for better security. In order to store data on the form that has already been typed, it's going to be stored by a script to a session variable or appended to a referred link. You don't want to store password data this way. The data can often be easily intercepted or spoofed, so it's best practice not to do this.

Is it possible to do this, yes...but you shouldn't. Plus, most browsers (if configured to store form data), will simply remember a regular input field, keeping that data stored across browsing sessions...but they'll ignore password-type input fields by default.

As an added benefit, it also helps the user to remember the password they typed, by having to do it more than just once or twice. As annoying as it may be, until a better method is more widely accepted and accessible, this is typically how it's going to be done.

10% popularity Vote Up Vote Down


 

@Welton855

It's a security measure on so many levels!!!


I. Typing it twice is to make sure you entered it correctly!


What if you entered it just once, made a typo and didn't notice?
The site might have a ToS preventing multiple accounts for the same person/email!
You might never be able to login to that account/website ever again!


II. Passwords should NEVER be stored in cleartext, nor encoded/encrypted but in a 1 way hash! [ref. CWE-257]



Server-wise: The server can't give you 'back' what you typed because by the time you get the error page the password is either not processed or already hashed or it shouldn't be stored in a format that you can get 'back'.
Client-wise: It's also not a good practice to store the password in a retrievable format in any way (js/cookie/etc)


Final considerations: the password should be known only to you! and it should exist in it's 'true' form only in your head!

10% popularity Vote Up Vote Down


 

@Tiffany637

The only real reason I see for clearing the password form on a required field failure - is that it prevents the user from updating "just fixing the one field and submitting the data"

The mindset I have to this is that : If the form is designed well and obviously enough attention was spent in the pre-processing sub action coding ---- then if someone still missed a required field, other data may be incorrect.

Wiping the password field is a way to give the user a forced pause to not just add in the required data but also gives them the opportunity to (hopefully) verify the rest of their information on the form.

Security wise - this doesn't really provide much unless someone hit submit on a public computer and immediately left the computer before the oversight was detected and the user (now absent) is prompted to fill in the offending field.

Little to no security benefit - mostly just a way to hopefully prod the user to verify information before they submit again.

-my take on it.

10% popularity Vote Up Vote Down


 

@Sarah324

It's a trade-off between a security measure and the requirement for data capture - if a user has gone to the trouble of registering their details with you, it is not a good idea to have to make them re-enter each form field. They are as likely to abandon the registration process. It's much easier just to make them simply re-type the password twice, which of course protects them from nothing, but gives an added sense of security to the unwary.
Depending on your level of need for registered users, either clear the form or just the password fields. Clearing the whole form provides slightly better security.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme