Comments on: Do not burden your users with validations

By: Rhett

Rhett — Sun, 13 Sep 2009 21:00:18 +0000

Tim: I definitely agree that sign up forms should be short. I often copy and paste the confirmation fields myself.

To build upon your Jakob Nielson quote, I think masking by default would be the way to go in this scenario.

If the password is not masked by default then I am assuming you would be using a textfield input with a type value of “text”. Presumably, this would allow the password to be cached in the user’s autocomplete field in plain readable text. The next user might be able to arrow down on the autocomplete field and view the password.

On the other hand, if the password is masked by default, then you are probably using an input with a type value of “password” and then using JavaScript to turn it to an input type of “text” after the checkbox is clicked.

Is that what you’re thinking? I’m not necessarily opposed to the idea, but I think that masked passwords are a convention that users are comfortable with. It seems like superfluous work to me and if you add a bunch of checkboxes, like “unmask password” and “remember me next time,” your login form begins to take up more real estate. That wouldn’t matter in a dedicated login page, but if you want your login form to be in the header of the website, the design might get a little cramped. Just my 2 cents.

By: Tim Case

Tim Case — Sun, 13 Sep 2009 15:51:16 +0000

Rhett: On the applications I work on there is a strong concern about losing users due to a complicated sign up so we do everything we can to minimize required fields and we try to delay sign up until later in the process. Adding more fields to the signup for a person who mistypes both their email address and their password isn’t important to us.

Security is subjective, and you’ll need to apply judgement as to whether usability or security is a bigger concern for the application that you are working on.

“Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they’re using an Internet cafe. It’s therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there’s a tension between security and usability, sometimes security should win.” — Jakob Nielson

By: Rhett

Rhett — Sat, 12 Sep 2009 18:08:22 +0000

Harry: If you don’t require the user to confirm their password, do you require that they confirm their email address? One of the two probably needs to be confirmed. If they mis-type their email address, the “forgot password” feature will be useless.

Tim: I definitely do not like the idea of using an unmasked password. Too much of a security risk. Imagine if you were using an ATM and your PIN number was visible to all the people standing in line behind you. Maybe your Facebook account isn’t as valuable, but it would certainly seem to indicate a laxness of security standards that your future clients may not be comfortable with.

By: Mike

Mike — Sun, 06 Sep 2009 18:50:56 +0000

The validatable gem allows validations to before performed sequentially so that multiple error messages aren’t shown at once. Perhaps not so useful for rails yet, but it’s a nice solution to the problem your post discusses.

http://validatable.rubyforge.org/

By: Hugo Baraúna

Hugo Baraúna — Wed, 02 Sep 2009 13:09:55 +0000

Thanks Tim! I hope we can always see your comments here.

See ya! =)

By: Tim Case

Tim Case — Wed, 02 Sep 2009 12:50:22 +0000

Err sorry Hugo the post excellent!