Common Practice

A while back Ben, of the always excellent Noisy Decent Graphics has posted an astonishing example of shoddy thinking on the part of the Design Week website on his blog.

There’s all sorts of way to help a user who has forgotten or lost their password, and each of them have their pros and cons, but Ben’s example got me thinking abut the number of websites that require a user to enter their old password in order to set a new one (even sites that get almost everything right, like the multi-Webby winning Flickr do it), and I realised that just because something is common practice, doesn’t mean it’s a good idea.

Here’s why I think it’s bad practice: if a user logged in to get to the password-changing option a user has already verified their identity to the site. Why should they need to do so again for this particular task, especially since they don’t have to for most others? If they’re a hacker, they presumably know the stolen password, and repeating it is no trouble. And if they’re a legitimate user, then they’re simply forced to jump through an unnecessary hoop.

There’s an argument to made that requiring the current password will help prevent accidental password changes, but given that most sites require the user to type the new password twice in order to confirm it (and those that don’t probably should) I think accidental changes are still unlikely, especially if the form is well designed, so that users can’t be confused about what is intended to happen.

Can anyone think of a reason why asking an already logged-in user to type their password in in order to change it is a good idea?

  • The Aardvark Book

    The Aardvark BookFind out more.

News

See all news articles .

Blog

See all blog articles .
Follow us.

Twitter

Ho hum - BBC News - Cookies: Majority of government sites to miss deadline