Pattern for allowing a user to change his password. Should the user have to repeat the new password as well as enter the old password?

Question

There are lots of questions about recovering passwords on SO, but not about changing passwords considering one of the two following:

1) The user is authenticated in the system already (either through user/pw or through third part authentication e.g. facebook/twitter)
2) The user knows his or her old password.

Given these starting points, I have two distinct question as to what the best practice is for allowing a user to change his or her password in the fewest steps.

Scenario (user has already authenticated and logged into system):
Enter Old Password:_______ (1: can I get rid of this)
Enter New Password:_______
Enter New Again: _______ (2: can I get rid of this)

1) Is it ok to not have the user enter his old password? In this case I'm assuming the user is already authenticated into the system. It seems redundant to have the user re-enter the password. I understand this could be important for high security applications (e.g. banking) where a user leaving the a session unattended could allow someone to enter a new password without knowing the password that got them into this situations.

In the example I'm presenting, the application is not very high security and risk is low. Also, since we allow third part authentication (facebook/twitter) then theoretically if someone else was on the machine and the user had a live cookie for facebook/twitter, they could get into the account.

2) Is it ok to not have the user enter the new password twice. This feels a bit 90's-ish doing this. People are used to passwords now, and the 5% chance they type their password differently than they expect does not seem to outweigh the time spent typing it in twice. In that 5% scenario, the worst case is they just have to reset their password (or just login with facebook/twitter and reset it). One website that I found doing this now is Quora (though they still do step 1). I have not seen many others doing the same.

Answer 1

First, I would caution you to never, ever, ever, ever, ever assume the user is who he says he is, especially when it comes to changing the very key that allows them access to their account. It is a very well used method to always require a password authentication to edit the password.

As for entering the password twice, that is mostly done so on the back end you can compare the two passwords and make sure that they are identical. This is done to make sure that the user has intended to type the password as it is typed. The odds of making the same typo twice in a row are not likely, and as such if the two passwords are identical you can pretty well assume that they are typo free.

Personally I would much rather take 10 seconds out of my day to retype a password, instead of having to go through the hassle of realizing that I typoed my password, then having to reset my password, visit my email, revisit the website, and then re-enter my password. At the end of the day you still have to type it twice, the first method just is so much more streamlined.

And I would never allow a user to edit an authentication method, without having them verify the ability to use an authentication method in the first place. Some users leave their computers logged in while leaving their seats, which allows others to sit down and access private data, and if they have access to changing a password without needing to enter the current password, that opens the account to an easier chance of being abused.

Answer 2

About 1). I would not trust on a App that doesn't ask my old password when trying to change it, I prefeer the once in a while hassle of entering my old password than the risk that somebody changes it without me noticing, it doesn't matter to me if it's my bank account or just my grocery's list.

2) I've got my butt saved a couple of times with requiring to double type your password, it's easy to type a minor variant of your password and could be very harmfull, locking you out of your account.

You should take into account, that the users doesn't change their passwords that often, so the hassle pays off, i would keep the old formula of asking your last password and requiring you to type the new one twice.

Answer 3

one good reason to make them type in their old password is the case where the legitimate user got up and went to the bathroom, and a prankster decides to change eir password.

personally I don't mind typing the new password twice. perhaps some people do.

you can certainly choose to eliminate either or both steps, and it probably won't cause you too many headaches. but then it might.

IMO a better way to eliminate this username/password garbage is to do what SO did, and use OpenID, or other alternative authentication methods, like X509 certs.

Answer 4

To my understanding, the necessity for entering the old password is to prevent account hijacking in the case where users have accidentally left themselves logged in and left the account. Yes, in those cases the hijackers (usually somebody's friend who noticed that they left themself logged in on Facebook) will do things like post silly or offensive stuff, but at the very least, without the original password, they can't effectively lock out the original user.

In the second case, I don't think it's too inappropriate to ask the users to type the password a second time; for good passwords, they should be relatively complex, and therefore a little bit hard to type. Requiring the second entry is a little bit of a hassle, but not too unreasonable (IMO).