Account ‘Sign Up’: Ask to Confirm E-mail, Not Password

Always ask people to confirm their e-mail (rather than their password), since that’s the single most crucial piece of information to get right.

During account ‘sign up’, a misspelled password is annoying, whereas a misspelled e-mail address is hazardous.

More and more sites use people’s e-mail address as their “username” too when requiring authentication. This makes a lot of sense: e-mails are unique, you often need it anyways, people have an easier time remembering their e-mail than an arbitrary username, etc.

However, on most of those sign-up forms, I’ve noticed a very peculiar tendency – to the point where it is almost a standard – people are asked to confirm their password but not their e-mail address. To this day this still baffles me – surely getting the e-mail correct is more important than getting the password correct. After all, people can always use the “Forgot password?” feature if they misspelled their password – annoying for sure, but hardly a complete deal breaker to anyone serious about the service.

Imagine for a second that a user misspelled his e-mail during sign up. How can support look up the account if they don’t have the correct e-mail address? And even if they somehow manage to find the misspelled e-mail address, how they can be sure it was misspelled and not just someone else with a very similar e-mail address? In this case letting the user back in will require a lot of work from support to in fact verify ownership of the account.

Facebook gets it right. They make sure your email address is correct above anything else.

Of course one of the reasons you often ask for password confirmation is because the input is masked with dots so misspelling it is easy. There are of course many ways to get around this problem (e.g. letting people unmask their password), and I’m not even saying that password confirmation is a bad idea. However, getting the user’s e-mail address is still more important since getting it wrong could potentially cut the user off from his account entirely.

In other words, why would anyone ask people to confirm their password but not their e-mail address? If you want anything confirmed, start with the e-mail. Also want the password confirmed? Fine, although that is a lot of re-typing.

A misspelled password is annoying. A misspelled e-mail address is hazardous.

Share: LinkedIn

Authored by Jamie Appleseed

Published on June 16, 2011

Comment on LinkedIn

User experience research, delivered twice a month

Join 22,000+ readers and get Baymard’s research articles by RSS feed or

Topics include user experience, web design, and e-commerce

Articles are always delivered ad-free and in their full length

1-click unsubscribe at any time

Related Articles

More E-Commerce Research

Free Research Content:

Products & Services:


But if you, like me, just copy the e-mail address from the first field and paste it into the second field, you still have the problem.

I agree that people tend to do that. However! you do have to select the text again and even if you dont really want to, you probably take another look. thus reducing the chance of error.

Hi Lars, and thanks for your comment.

As John Black mentions, you’ll probably take another look while copying your email.

However, a better solution is to disable the paste-functionality in the confirmation field.

In fact, during our usability test on the checkout report, we frequently saw people copy/pasting their e-mail into confirmation fields and sometimes they copied a misspelled e-mail address. However, one of the test sites (Nordstrom) had disabled the paste-functionality and did in fact catch a test subject’s misspelling this way.

So you’ll definitely want to use javascript to disable people’s ability to paste data into confirmation fields, because otherwise they will – as you yourself mention – be of little value.

Agreed… Rather than having a user confirm his password, one should rather check for his email id. Because if an incorrect email id is registered, you will not be able to get that username again :(

Ask to confirm neither. Show them the details they entered on the confirmation screen instead, and offer the chance to amend the details if they’re incorrect.

I like the idea, although I don’t think it would catch as many misspellings. Signing up is a necessary evil, a way to get on “the other side” and actually start using the application. So I’m afraid people would be in a rush to try out the application and not pay proper attention to validating their details. But it could be interesting to test this.

The “repeat password” thing is just because the password is obscured, and it’s easier to make a mistake than if you can see what you are writing, as is the case with the email field… Basically, writing it a second time just confirms you wrote what you intended to write.

I guess the reason why email is not repeated is because we actually can see what we type. But often our password is masked with * or dot. We don’t really want to waste up screen area just for something that can be made sure easily. Correct me if I am wrong. :)

I agree about the potential problem of copying/pasting e-mail, but let us remember the common auto-typing features in almost every modern browser, which makes almost always unnecessary e-mail typing…

And what about letting the user see what is he/she typing as password in real letters and numbers, instead of bullets? Usually, the password setting is made in private environments, and letting the user view what he/she is typing makes sense. We could even make him/her switch to bullets with a clever checkbox.

Well, these days, where many sites require email id for usernames, people mostly use their regular email ids to sign up which they use on daily basis for their emailing needs. So chances of mistyping it is almost negligible( I think).

But incase of passwords, although we provide same email ids but may use different passwords on different sites.. thats why confirmation is required for passwords.

I agree with Craig, it would be a nice feature to show a confirmation of important filled details before submit or on change focus from those fields.

I even don’t think it is need to confirm anything through the form. While user entered email, why we can’t just send him a letter with some confirmation link (as it is common case even if we entered both password and/or email twice on some forms). On some systems where actual privacy is not the main feature (systems that does not keep any private data, financial or other security details) also we can skip password field and only ask user to enter email (once ;-) ). Less is more.

We echo the password in a larger font near the submit button (e.g. (not in an input field). People are pretty good at quickly spotting if their address is incorrect. All the other details they can fix after signup (name, password, etc aren’t crucial).

The actual point is simpler that this. It’s tedious to have to duplicate your email address which you know and are used to typing correctly.
I don’t know a single person who doesn’t copy and paste their email address from the first box into the confirm email box, thus defeating its purpose, and if copy/paste was defeated to prevent this it would simply piss off the user even more.

Yes in logical order of importance the email address is most important, but I’m sure the answer to why it’s password is usually asked for twice lies in both the fact that it is in most cases obscured, and you MAY also be creating a new password and you don’t want to forget it.

I respectfully think you have reached the wrong conclusion. If anything is changed from the repeating password scenario it should be not repeating anything.

This happend to my girlfriend once, during pre-registration at her highschool this year (it was a web-form) she had to enter her email and a password.

But because numlock was turned of and she didn’t noticed it she typed in the wrong email. After the registration process was finished you get asked to review the data you entered, and it get’s printed out. Only once she was back home she noticed on the printouts she entered an incorrect email-address.

To get it changed we had to call to the help desk the next monday, and as soon as you signed up a mail got sent to the email-address containing the login details and an url to login.

According to me signing up forms/user systems should contain following:

  • a large enough email-field
  • (perhaps a “repeat your email” field)
  • visual feedback when a correct email address is entered, for example a green border, or a shiny icon next to the field. This draws the attention of the user, just because of an animation
  • an option to change the email address should be always present, unless it’s a webmail service!
  • Never sent the password trough email, unless it’s a only-email-required signup form where a random generated password is sent to the email (than also include a link that automatically logs in the user)

I guess I could continue the list, but those were just some experiences I had when developing/using user systems.

the “Confirm Email” field only ever came about because people saw the “confirm password” field and WRONGLY assumed that it was to do with importance. As many people have pointed out, the password field needs to be confirmed as it has masked user input. There is absolutely NO justification for a “confirm email” field as users should be checking their input before clicking next. The only thing this is not possible for is the masked password field. I have been writing websites for over over 15 years and this is one of the recent trends that really gets my goat. It forces unnecessary input (which is normally copied and pasted anyway, negating any positive use) and goes against the golden rules of web programming. You mentioned disabling “paste” functionality. To actually do this and make it cross-platform requires a horrible amount of code, unless you’re referring to a “no-right-click” script (doesn’t stop pasting from keyboard, edit menu, keyboard context-menu button, browser specific features, password managers etc…)

I have an issue with comments such as “users should be checking their input” and any other comment where we put the responsibility of accuracy with the customer.

of course users SHOULD check their input, but the point is they don’t always. People sign up fast, and precisely BECAUSE our email address is one of the things we type the most often, its one of the most likely places for us to make a mistake.

I don’t agree that we should punish the user for having mistyped his email by making him go through the trouble explained above to have that email address changed. we’re supposed to make it easier for the user to interact with our site not harder. The headache of changing the email address is huge, compared to the hassle of taking 3 seconds to copy/paste the email a 2nd time.

Here’s how i see it. when we complete a form and our cursor is in the 1st email field, we will type it (usually very fast) and power users will hit “tab” to get to the next field. By then, our eyes have already moved on to that next field, and if we’re in a hurry, will never focus back on that first field again.

However even if people simply copy / paste the email into the second field, that’s fine, because in order to do it, our eyes are focused on that second field and what’s being pasted as we hit “CTRL+V” and are more likely to spot the typo (especially since our eyes are used to seeing our email address, a typo is quickly spotted).

Personally, I am always annoyed if I need to repeat my e-mail address, not If I need to repeat a masked password. If copy/paste is disabled, my annoyance mostly gets bigger.

The only way to really make sure the entered e-mail address is correct is by sending a verification e-mail the user needs to confirm.

I agree this is an additional step that will make some users stop the registration process but both from a data quality and anti-spam point of view this can be necessary (business requirement). It definitely makes your registration form or flow more complex and less usable but on the other hand can increase the (perception of) quality and security of your overall service as well.

Possible alternative solution:
Technically your application can ask a mailserver if the address exists on its server. That could solves all our problems. However, a lot of mailservers don’t support this option. Depending on the number of addresses that can be checked, you could extend your application and make a different flow depending on the result of the check. If the result is OK, then the user is done. A failing check can be both caused by a typo or when the feature is not supported on the mail-server. Different errors are thrown so your feedback to the user can be fine-tuned. So, depending on the scenario, you can ask the user to double-check his e-mail address and / or start an additional verification flow by e-mail.

I have never integrated this myself into a flow and I am still looking for an example but you can already try the e-mail verification at

Our org already has email validation in place when a person creates an account, but we frequently receive email questions from the public (non members) using our Contact Us form, where the user has incorrectly entered their email address. We go to the time to consult all of our resources and prepare a response- only to have it bounce back due to the incorrect email address the person entered. We have now added the second “Confirm your email address” field, but would prefer to have it set up so that (also like Nordstrom mentioned above) when a person goes to fill the “confirm” field, that they’re not offered previously entered addresses to choose from, but will need to retype the email address. I realize that it can be annoying to have to retype an email address, but in some instances it appears to be a necessary evil.. Can anyone tell me if the code to prevent the computer from offering previously entered data is difficult?

What if you’re like me and your computer just saves your info in a cookie and you click that from the drop down menu..making confirming your email not needed at all

There are so many places that ask for your email address but no ID and when you come back to sign in they ask for ID and won’t accept email address. What gives here? It doesn’t make sense.

I still, despite all the arguments above, do not see why there is a need to repeat my e-mail address. I believe that the e-mail address is just a means by which firms can send me junk/spam e-mail, and I do not want to encourage them! I would be much more worried about getting my bank account number or sort code, address, telephone number, date of birth, etc., wrong, but the e-mail address is likely only to be used by me for a sign-up and nothing else, as my user I. D. would be my means of access to my account.

I accept that a lot of organizations now require a person’s user name to be his e-mail address (what a pity that that does not apply to things like YouTube!), but the whole idea seems to be to make life easier for the business, not the customer. Is this why the practice still continues?

Also, it does encourage conspiracy theory-type questions, like, where does the 2nd entry of my e-mail address go to? Are the powers that be checking which sites I sign up to?

Please desist!!

My concern is not the email address, but why do they need my
password for my email? I won’t join or anything with a site
that wants my password. You know, the password I use to access
my email. There is no reason they need it.

Any web form that requires me to supply an email address twice (and assumes I can’t type it correct the first time), I immediately close out of and go somewhere else. I will not tolerate the assumption of idiocy.

i want a password that i want, not one you want. i don’
even want any security