Confirm Password, Idiot.

April 3rd, 2008

One common trend in interface design (both web and otherwise) is to assume the user is a complete and utter fool, and our job as interface designers is to protect that user from their own stupidity. Interfaces designed around this notion become large and cumbersome, with everything screaming for the user’s attention; and put up so many roadblocks that the user gets frustrated and flat out gives up.

Software is funny that way, really. No one designs a hammer to be Smash-Your-Finger-Proof, and in doing so, then that would most likely detract from the purpose of a hammer : namely, putting gigantic holes into sheet rock (at least that’s the result I get, sadly). Imagine if your drill simply would not drill unless you were holding it perfectly level. You’d keep trying, but the drill would let out a *BZZT* and flash red, with a nice message somewhere letting you know how much you suck at drilling.

Any user-driven web business can tell you how important it is to get the conversion from “browsing your site” to “using your site”, and it typically begins with a sign up form. Whether it’s an eCommerce site where users directly impact revenue, or a social site where users generate the content, the barriers to entry to create a “user” should be a small as possible. Why is it, then, in all of the money spent to track and attempt to reduce these barriers, that I’m still being “protected” by sign up forms, asking me to confirm my password, in case I screwed up typing it? You’d think this is the easiest barrier to tear down.

Hey we think maybe you’re awful at typing. Could you try typing your password in again, just in case?

It’s not as though it is some irrecoverable problem if the user were to mis-type their password. At worst, they wouldn’t figure it out until they attempted to log into their account the next time they use your site, right? (You should be logging them in automatically when they sign up) Well, the software has their emaill address, so we can easily email them a secure link to reset their password if things were to go awry.

I would seriously like to see the logging stats larger companies have on the percentage of users who receive the “Aha! Just as we thought! Your passwords do not match! You’d better thank us now for putting in the confirm password input!” error. Out of all of the web forms I’ve filled out, I’m pretty sure I have only gotten it myself once or twice, and it was probably because I mis-typed my password in the confirm password box.

So I’m making it a point not to require someone to confirm their password when signing up. If it’s good enough for Facebook, who gets nearly 1 million sign ups per week, it’s good enough for me.

“What’s your email?” “What’s your password?” should be enough information to get someone up and running, then you can mine for more data as it’s pertinent to the experience. What a wonderful world that would be.