Use a password entry field when asking users to create an account or log in.
How to ask users to enter a password
This should be labelled as ‘Password’ and we should clearly outline password constraints so users know the constraints before they enter a password and not just when an error occurs.
You should help users who have forgotten their password, due to stricter password constraints, passwords that are hard to guess can also be hard to remember.
When helping users who’ve forgotten their password, you should:
Send them a link or code to trigger a password reset.
Avoid password reset questions.
Avoid password reminders.
Have too complex password constraints, users may forget their password if it’s too complicated.
Disable paste on password fields. People may have very good reasons why they want to paste their password, for example if they’re using a password manager.
Set a maximum password length.
Allow commonly used passwords.
Have password reset questions.
Have password reminders.
Example of error state
Please enter a password (If left empty)
Please enter a valid password (If password does not meet requirements)
Help improve this page
To help make sure this page is as useful as it can be, relevant and kept up to date with industry best practices, please get in touch to share your research findings, and contribute to this page.
Propose a change or contribution by suggesting a feature request.