This question with a similar name refers to registration, but in my case, I would like to address submission.
My use cases are:
- A login form consisting of an email address.
- A change password form where the user enters his new password twice to change his password.
Assumptions:
- The user has javascript enabled, so we can use AJAX and perform inline form validation. There is then no security risk of sending the password back to the users to re-render the form.
The password field can fail for several reasons:
In the login form, the password is blank or the password/email combination is incorrect.
In the change password form, the password does not meet password requirements (minimum length, etc).
In the change password form, the repeated password does not match the password.
In the change password form, a blank password field exists.
Currently, I have the following behavior:
- In the change password field, once the password is successfully changed, the passwords fields are blanked out as there is no point keeping them around, and we prepare "clean" fields in case the user wants to change the password again.
Should I also blank the fields for the other failure modes? For example, when using change password fields and setting a password like "123456" and the form returns "You need to have at least a letter in your password", I could just go the beginning of both builds and add "a", resulting in "a123456". This probably defeats the purpose of secure passwords, but it is a lot faster than typing "a123456".
Are there any established guidelines for this?
No comments:
Post a Comment