\n — @adurdin is thinking aloud

UI: Entering a new password

Little Big Details today showed the form used on Pinboard when entering a new password, where the field for the new password only appears once, and uses very light grey text:

Traditionally, a form will ask you to enter your new password twice, and both fields will be masked with • bullets. The form will ask for the new password a second time in case you unknowingly made a typo the first time. In this case the two fields will not match, so the form can warn you about the typo and ask you to try again. If it only asked for the new password once with a masked field, a typo could go undetected until you try to log in—the correct new password, lacking the typo, would not be accepted. Pinboard’s form solves this by ensuring that you can read back your new password to verify its correctness.

(Incidentally, I have a silly, irrational fear with forms of this type that I will make the same typo both times I enter the password, and so still be unable to log in when entering the password correctly.)

The goal behind masking passwords is, of course, to prevent them being disclosed through shoulder surfing. Pinboard’s light grey text makes it harder to read the password from a distance than if it were darker, but it’s still quite possible. And yet the text is light enough that it will be difficult to read for many users, especially with varied lighting conditions and monitor colour reproduction.

Interestingly, the traditional form with two masked fields has an unexpected benefit, albeit slight. While the intention of the two fields is to prevent typos, by having the user type their password twice without being able to see it, it also begins to train their muscle memory. Having typed the password twice without seeing it, you begin to learn the physical pattern of the letters on the keyboard. It is quite possible to know a password better physically than by letters. I can type most of my passwords rapidly, but have difficulty recalling the actual spelling of them.