Newskit Logo

Getting started

Design overview

Popular searches

View GitHub



Use a password entry field when asking users to create an account or log in.

How to ask users to enter a password


This should be labelled as ‘Password’ and we should clearly outline password constraints so users know the constraints before they enter a password and not just when an error occurs.

Forgotten passwords

You should help users who have forgotten their password, due to stricter password constraints, passwords that are hard to guess can also be hard to remember.

When helping users who’ve forgotten their password, you should:

  • Send them a link or code to trigger a password reset.

  • Avoid password reset questions.

  • Avoid password reminders.


  • Have too complex password constraints, users may forget their password if it’s too complicated.

  • Disable paste on password fields. People may have very good reasons why they want to paste their password, for example if they’re using a password manager.

  • Set a maximum password length.

  • Allow commonly used passwords.

  • Have password reset questions.

  • Have password reminders.

Error states

Example of error state

Please enter a password (If left empty)

Please enter a valid password (If password does not meet requirements)

Further detail

There is a more detailed breakdown of best practice for password entry on the Design System website here.

There is also further information on the UK's National Cyber Security Centre here.

Help improve this page

To help make sure this page is as useful as it can be, relevant and kept up to date with industry best practices, please get in touch to share your research findings, and contribute to this page.

Propose a change or contribution by suggesting a feature request.


Use the payment field when the business needs to take payment for a service.

Learn more about payment fields


Use the payment field when the business needs to take payment for a service.