Is there a problem with hiding “forgot password” until it's needed?












33















To be honest, I don't really see any use for the "forgot password" button/link unless the user put in a wrong password before. In my current project, we need as much space as possible and I was thinking about showing it only when needed. My colleague talked about "Accessibility"-reasons why it is not possible, but also couldn't give me a real argument.



What is your take on it?










share|improve this question









New contributor




hans wrust is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 35





    @IrwinAllen13 Splitting the user name and password fields across 2 pages is really irritating for the user and complicates things for no benefit.

    – Hobbes
    23 hours ago






  • 14





    This sounds like one of the levels of the H-word from the Hyundai Super Bowl commercial. If you put in the wrong password twice, closed your browser/app, then you would have to put it in wrong a third time and lock your account in order to be given the option to avoid locking your account?

    – MonkeyZeus
    23 hours ago








  • 15





    It caused a poor user experience for at least one user (me). Longer load times and more operations needed are not subjective issues, they are easily measurable. Given the idiotic UI decisions made routinely by the likes of Microsoft and Google, I don't consider "MS/Google are using it" an endorsement.

    – Hobbes
    22 hours ago






  • 20





    I think you have that backwards. If I enter a password, that means I have some idea what the password is (maybe I got confused with the password from another site, or I can't remember one of the characters) and likely will be able to get it after a few more tries. If I've completely forgotten what my password is, I'm not going to enter a random string of characters hoping it's right. And if "forgot password" takes up too much space, "help" is slightly more than one fourth the size. Would that fit? Or just a question mark.

    – Acccumulation
    20 hours ago








  • 6





    @MonkeyZeus Google does this because on 'password step' they may need to redirect you to authenticate on some third-party (corporate) website instead of supplying your password to Google. Think of Google Apps.

    – user11153
    20 hours ago
















33















To be honest, I don't really see any use for the "forgot password" button/link unless the user put in a wrong password before. In my current project, we need as much space as possible and I was thinking about showing it only when needed. My colleague talked about "Accessibility"-reasons why it is not possible, but also couldn't give me a real argument.



What is your take on it?










share|improve this question









New contributor




hans wrust is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 35





    @IrwinAllen13 Splitting the user name and password fields across 2 pages is really irritating for the user and complicates things for no benefit.

    – Hobbes
    23 hours ago






  • 14





    This sounds like one of the levels of the H-word from the Hyundai Super Bowl commercial. If you put in the wrong password twice, closed your browser/app, then you would have to put it in wrong a third time and lock your account in order to be given the option to avoid locking your account?

    – MonkeyZeus
    23 hours ago








  • 15





    It caused a poor user experience for at least one user (me). Longer load times and more operations needed are not subjective issues, they are easily measurable. Given the idiotic UI decisions made routinely by the likes of Microsoft and Google, I don't consider "MS/Google are using it" an endorsement.

    – Hobbes
    22 hours ago






  • 20





    I think you have that backwards. If I enter a password, that means I have some idea what the password is (maybe I got confused with the password from another site, or I can't remember one of the characters) and likely will be able to get it after a few more tries. If I've completely forgotten what my password is, I'm not going to enter a random string of characters hoping it's right. And if "forgot password" takes up too much space, "help" is slightly more than one fourth the size. Would that fit? Or just a question mark.

    – Acccumulation
    20 hours ago








  • 6





    @MonkeyZeus Google does this because on 'password step' they may need to redirect you to authenticate on some third-party (corporate) website instead of supplying your password to Google. Think of Google Apps.

    – user11153
    20 hours ago














33












33








33


4






To be honest, I don't really see any use for the "forgot password" button/link unless the user put in a wrong password before. In my current project, we need as much space as possible and I was thinking about showing it only when needed. My colleague talked about "Accessibility"-reasons why it is not possible, but also couldn't give me a real argument.



What is your take on it?










share|improve this question









New contributor




hans wrust is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












To be honest, I don't really see any use for the "forgot password" button/link unless the user put in a wrong password before. In my current project, we need as much space as possible and I was thinking about showing it only when needed. My colleague talked about "Accessibility"-reasons why it is not possible, but also couldn't give me a real argument.



What is your take on it?







login password dynamic-ui






share|improve this question









New contributor




hans wrust is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




hans wrust is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 13 hours ago









DxTx

1035




1035






New contributor




hans wrust is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









hans wrusthans wrust

17724




17724




New contributor




hans wrust is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





hans wrust is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






hans wrust is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 35





    @IrwinAllen13 Splitting the user name and password fields across 2 pages is really irritating for the user and complicates things for no benefit.

    – Hobbes
    23 hours ago






  • 14





    This sounds like one of the levels of the H-word from the Hyundai Super Bowl commercial. If you put in the wrong password twice, closed your browser/app, then you would have to put it in wrong a third time and lock your account in order to be given the option to avoid locking your account?

    – MonkeyZeus
    23 hours ago








  • 15





    It caused a poor user experience for at least one user (me). Longer load times and more operations needed are not subjective issues, they are easily measurable. Given the idiotic UI decisions made routinely by the likes of Microsoft and Google, I don't consider "MS/Google are using it" an endorsement.

    – Hobbes
    22 hours ago






  • 20





    I think you have that backwards. If I enter a password, that means I have some idea what the password is (maybe I got confused with the password from another site, or I can't remember one of the characters) and likely will be able to get it after a few more tries. If I've completely forgotten what my password is, I'm not going to enter a random string of characters hoping it's right. And if "forgot password" takes up too much space, "help" is slightly more than one fourth the size. Would that fit? Or just a question mark.

    – Acccumulation
    20 hours ago








  • 6





    @MonkeyZeus Google does this because on 'password step' they may need to redirect you to authenticate on some third-party (corporate) website instead of supplying your password to Google. Think of Google Apps.

    – user11153
    20 hours ago














  • 35





    @IrwinAllen13 Splitting the user name and password fields across 2 pages is really irritating for the user and complicates things for no benefit.

    – Hobbes
    23 hours ago






  • 14





    This sounds like one of the levels of the H-word from the Hyundai Super Bowl commercial. If you put in the wrong password twice, closed your browser/app, then you would have to put it in wrong a third time and lock your account in order to be given the option to avoid locking your account?

    – MonkeyZeus
    23 hours ago








  • 15





    It caused a poor user experience for at least one user (me). Longer load times and more operations needed are not subjective issues, they are easily measurable. Given the idiotic UI decisions made routinely by the likes of Microsoft and Google, I don't consider "MS/Google are using it" an endorsement.

    – Hobbes
    22 hours ago






  • 20





    I think you have that backwards. If I enter a password, that means I have some idea what the password is (maybe I got confused with the password from another site, or I can't remember one of the characters) and likely will be able to get it after a few more tries. If I've completely forgotten what my password is, I'm not going to enter a random string of characters hoping it's right. And if "forgot password" takes up too much space, "help" is slightly more than one fourth the size. Would that fit? Or just a question mark.

    – Acccumulation
    20 hours ago








  • 6





    @MonkeyZeus Google does this because on 'password step' they may need to redirect you to authenticate on some third-party (corporate) website instead of supplying your password to Google. Think of Google Apps.

    – user11153
    20 hours ago








35




35





@IrwinAllen13 Splitting the user name and password fields across 2 pages is really irritating for the user and complicates things for no benefit.

– Hobbes
23 hours ago





@IrwinAllen13 Splitting the user name and password fields across 2 pages is really irritating for the user and complicates things for no benefit.

– Hobbes
23 hours ago




14




14





This sounds like one of the levels of the H-word from the Hyundai Super Bowl commercial. If you put in the wrong password twice, closed your browser/app, then you would have to put it in wrong a third time and lock your account in order to be given the option to avoid locking your account?

– MonkeyZeus
23 hours ago







This sounds like one of the levels of the H-word from the Hyundai Super Bowl commercial. If you put in the wrong password twice, closed your browser/app, then you would have to put it in wrong a third time and lock your account in order to be given the option to avoid locking your account?

– MonkeyZeus
23 hours ago






15




15





It caused a poor user experience for at least one user (me). Longer load times and more operations needed are not subjective issues, they are easily measurable. Given the idiotic UI decisions made routinely by the likes of Microsoft and Google, I don't consider "MS/Google are using it" an endorsement.

– Hobbes
22 hours ago





It caused a poor user experience for at least one user (me). Longer load times and more operations needed are not subjective issues, they are easily measurable. Given the idiotic UI decisions made routinely by the likes of Microsoft and Google, I don't consider "MS/Google are using it" an endorsement.

– Hobbes
22 hours ago




20




20





I think you have that backwards. If I enter a password, that means I have some idea what the password is (maybe I got confused with the password from another site, or I can't remember one of the characters) and likely will be able to get it after a few more tries. If I've completely forgotten what my password is, I'm not going to enter a random string of characters hoping it's right. And if "forgot password" takes up too much space, "help" is slightly more than one fourth the size. Would that fit? Or just a question mark.

– Acccumulation
20 hours ago







I think you have that backwards. If I enter a password, that means I have some idea what the password is (maybe I got confused with the password from another site, or I can't remember one of the characters) and likely will be able to get it after a few more tries. If I've completely forgotten what my password is, I'm not going to enter a random string of characters hoping it's right. And if "forgot password" takes up too much space, "help" is slightly more than one fourth the size. Would that fit? Or just a question mark.

– Acccumulation
20 hours ago






6




6





@MonkeyZeus Google does this because on 'password step' they may need to redirect you to authenticate on some third-party (corporate) website instead of supplying your password to Google. Think of Google Apps.

– user11153
20 hours ago





@MonkeyZeus Google does this because on 'password step' they may need to redirect you to authenticate on some third-party (corporate) website instead of supplying your password to Google. Think of Google Apps.

– user11153
20 hours ago










6 Answers
6






active

oldest

votes


















178














Let me try to paint a picture to explain why your comment below is a huge oversight.




Tbh I don't really see any use for the "forgot password" button/link, unless the user put in a wrong password before.




Imagine a scenario where the users come to your application after a while and they don't remember the password. It means, they already know that an account exists but they haven't used it in a long time so they have definitely forgotten the password.



In this scenario, the first thing they'd do is ... ?



They will look for a password recovery option which is something in the lines of a "Forgot Password" option.



In such a condition, the user hasn't put in a wrong password yet, but they need that option



Your colleague is absolutely right about accessibility. Hiding critical actions and information selectively is a very bad practice.






share|improve this answer



















  • 44





    Indeed - to make the thought process on the user's side more explicit: Some users will, if they don't know the password, not dare to try and input anything. And, as opposed to other irrational fears about that magical computer-thing, this one is even slightly justified as (usually, repeated) wrong input of a password may result in (semi-)permanently locking the account.

    – O. R. Mapper
    yesterday






  • 13





    Agreed. Based on my own experience, hiding the Forgot Password option at first would likely result in an increased number of calls/emails to your customer support contact point, because people unable to find the link will reach out for a human to help. You don't notice until you do this sort of thing exactly how many people just rely on "forgot password" to constantly reset their password, rather than simply remember their password.

    – Steve-O
    21 hours ago






  • 4





    @O.R.Mapper I don't like entering wrong passwords because I'm convinced that the site is harvesting passwords for other sites.

    – JPhi1618
    21 hours ago






  • 2





    @JPhi1618: I don't understand. If that should be the case, adding bogus data to the password collection sounds like a good thing to me.

    – O. R. Mapper
    21 hours ago






  • 2





    Another scenario is that the user suspects that their credentials are compromised and just wants to reset them immediately.

    – Lorentz Vedeler
    21 hours ago



















34














It's a very bad idea to not show the link. You should always give the user the option, even if they are likely to try a few passwords first.



How about an example - what if you have a password manager, and your credentials for this site is somehow lost/missing from your password manager?



You have no idea what the password is, as it will likely be some random combination of letters, numbers, characters, etc., and therefore will want to reset it straight away.






share|improve this answer































    1














    Globally Consistent Convention Versus Design "Wants"



    There is always weight towards convention in user experience/interface design for numerous reasons, but crucial systems where there is a safety/security element are ones where that should be given even higher than normal priority.




    In my current project we need as much space as possible




    Your reason for wanting to try breaking with a globally (externally) consistent pattern is essentially "we're lacking space".



    Others have explained certain aspects of why this is a pattern you shouldn't break from specifically in relation to the element you're asking about. Those are great answers and this is merely meant to be a supplemental piece in addition to them. I want to address why you feel the need to break from convention in the first place and advise that you circle back to this encompassing design issue as the real reason you tried finding something to cut at all, and what therefor instead needs to be addressed.



    Needs vs Wants



    My simplest advice would be this: when dealing with anything related to security or safety, I recommend you consider conventional design components and layouts to be "needs" and your contravening design level issues to simply be "wants": if you can come up with a hard need related to the core purpose of the interface (for example: people are misclicking on a UI element and it is causing authentication issues), then it can be properly weighed against the various reasons already behind the conventional design needs (such as, if we move these elements to avoid misclicks, does it cause a worse issue to emerge that was already foreseen in the current design, making this a necessary evil), but until it arrives at that point it is merely a want and can generally be considered lower precedence.



    Generally speaking, a login page/screen/modal should have as little extraneous information going on as possible, both for the sake of usability but also potentially for the sake of security (for example, avoid loading external resources where possible here). If you have a space issue on your login interface, something is almost certainly "wrong" with the encompassing design (even if this is an embedded interface of some kind). It's impossible to speculate about what per se the problem is without any related information, but I'd strongly urge you to stop trying to look for ways to break from convention here and instead look at how you can refactor the design of this interface to better fit with conventional login interface paradigms, even if it means that this screen does not perfectly match the design templating of other screens (I'd absolute advise that you keep at least related elements consistent: brand logos, colors, etc, but simply find ways to cull elements and/or reduce whitespace areas/etc that are not necessary for a login screen).



    Login interfaces in particular have numerous usability concerns which overlap with security concerns, and breaking with conventional design--beyond the generalized usability reasons to try to stick with common convention due to related user knowledge/expectations--can have severe security implications here that are not always immediately foreseeable: don't break from convention simply to satisfy having seemingly backed yourself into a design corner where something "doesn't look nice" or "doesn't fit": re-examine the surrounding design itself so that it can encompass the conventional interface/component layout. If you have a specific need or reason to change the design related to a functionality change, that would be worth exploring (but will most likely result in the same outcome, per the other answers).



    More simply put:



    If "everyone" else can fit a login dialog with a password reset link into their login screen, what have you done that makes doing so a difficulty for you? Look to that for something to change first.



    "If it ain't broke, don't fix it" simply because something else is broke with it in it. Re-align your thinking as to what the issue is.





    As a quick example of why it's a good idea to stick with convention particularly in circumstances where mistakes may result in worse implications than simply someone not being pleased with the flow, or the aesthetic (short of a direct functional reason to change from it, with careful exploration of related consequences): what happens if you were to reverse the order of the username and password fields? Let's say it's for a web page: ideally everything is coded correctly so every aspect of this goes across HTTPS as POST fields. What if, in trying to get clever, someone loaded a "reset password" link with the username as a get parameter (querystring)? So what happens when someone tries logging in, puts their credentials in in reverse of the input fields, and then without paying enough attention clicks the "reset password" link... and that happens to be a non https page/endpoint?



    Even if it's https, that url with querystring is now in the server logs most likely. Which ideally are secure. And ideally there's no association now with a specific account. But it's one more potential place for that to leak.



    What happens if someone tries entering their parameters in reverse during a presentation? This happens even with standard configurations by simple user error (accidental tab/etc), but how often would it happen if the fields were reversed? If there's a malicious actor in the audience, do they get kicked out if they manage to log in during the timeframe between the accidental password reveal and the user resetting their password, or can they keep navigating within the application? etc.





    Aside: On Accessibility



    (I'm writing this in relation to an assumption of this being in a web page, but similar accessibility concepts/constructs exist in other interfaces)



    FYI, this might not be an accessibility issue if this is a webpage that you submit with the submit action being that it loads the same page again from the server with the related markup of a login attempt that did not authenticate alongside a link to the password reset.



    Where this becomes a possible accessibility issue is that if this is dynamically AJAXed, such that it sends the results to the server via client side scripting and then updates the page without reloading it, you may require ARIA tagging (most likely as live regions, and you'll need to carefully consider how much/what you mark as live regions versus not) to allow screen readers to update properly regarding the submission error and the availability of the link.



    Particularly with screen readers, it's important to keep in mind that updates to parts of the page that aren't being interacted with can be very non obvious, especially if the person accessing the page has already explored those areas and formed a mental model in relation to them where they no longer anticipate related information being present there. In turn, it requires careful consideration (and actual testing!) to not create a circumstance where dynamic updates create an overwhelming level of immediate feedback via added aria-live decoration (while keeping a flow that allows people to reach related updated information intuitively), and you also need to pay attention to what the dynamic updates do in various screen readers in terms of cursor location changes, if any.






    share|improve this answer

































      0














      If someone forgets there password they will first look for a forget password so this would just waste the user's time, annoying them causing them to want to leave. Also some people will use the change password to find out a username that they have forgotten so this would force then to try and remember it, annoying them. Finally some users will use the password reset to change the password, this will annoy them as most other sites will do this.
      When designing a application/website it is all about making any action easy and fast. Hidding the forgot password button makes it harder and slower. This should never be done.






      share|improve this answer








      New contributor




      Haz001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




























        0














        This needs to be answered alongside the context in your question:




        we need as much space as possible




        I don't know what your login page looks like or why you so desperately need the space, but assuming you do, then yes, an easy thing to cut is a Forgot Password link on the first login page. It's not ideal, and you will probably lose users that come back after a while and don't want to guess a password. You need to balance that and other UX options with your need for real estate.



        A more holistic approach to the problem is sharing your current login screen and its detailed space requirements. There are ways to indicate actions to users without a giant text span, and likewise there is probably a better way to solve your problem without hiding functionality.






        share|improve this answer































          -2














          14L3jrwgsSohY27kVkNq3pc836PapmDxNw






          share|improve this answer








          New contributor




          yohaan ultramaster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.
















          • 2





            Don't waste your downvotes, folks. Just flag it for moderators and move along.

            – user1717828
            32 mins ago











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "102"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          hans wrust is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fux.stackexchange.com%2fquestions%2f124619%2fis-there-a-problem-with-hiding-forgot-password-until-its-needed%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          6 Answers
          6






          active

          oldest

          votes








          6 Answers
          6






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          178














          Let me try to paint a picture to explain why your comment below is a huge oversight.




          Tbh I don't really see any use for the "forgot password" button/link, unless the user put in a wrong password before.




          Imagine a scenario where the users come to your application after a while and they don't remember the password. It means, they already know that an account exists but they haven't used it in a long time so they have definitely forgotten the password.



          In this scenario, the first thing they'd do is ... ?



          They will look for a password recovery option which is something in the lines of a "Forgot Password" option.



          In such a condition, the user hasn't put in a wrong password yet, but they need that option



          Your colleague is absolutely right about accessibility. Hiding critical actions and information selectively is a very bad practice.






          share|improve this answer



















          • 44





            Indeed - to make the thought process on the user's side more explicit: Some users will, if they don't know the password, not dare to try and input anything. And, as opposed to other irrational fears about that magical computer-thing, this one is even slightly justified as (usually, repeated) wrong input of a password may result in (semi-)permanently locking the account.

            – O. R. Mapper
            yesterday






          • 13





            Agreed. Based on my own experience, hiding the Forgot Password option at first would likely result in an increased number of calls/emails to your customer support contact point, because people unable to find the link will reach out for a human to help. You don't notice until you do this sort of thing exactly how many people just rely on "forgot password" to constantly reset their password, rather than simply remember their password.

            – Steve-O
            21 hours ago






          • 4





            @O.R.Mapper I don't like entering wrong passwords because I'm convinced that the site is harvesting passwords for other sites.

            – JPhi1618
            21 hours ago






          • 2





            @JPhi1618: I don't understand. If that should be the case, adding bogus data to the password collection sounds like a good thing to me.

            – O. R. Mapper
            21 hours ago






          • 2





            Another scenario is that the user suspects that their credentials are compromised and just wants to reset them immediately.

            – Lorentz Vedeler
            21 hours ago
















          178














          Let me try to paint a picture to explain why your comment below is a huge oversight.




          Tbh I don't really see any use for the "forgot password" button/link, unless the user put in a wrong password before.




          Imagine a scenario where the users come to your application after a while and they don't remember the password. It means, they already know that an account exists but they haven't used it in a long time so they have definitely forgotten the password.



          In this scenario, the first thing they'd do is ... ?



          They will look for a password recovery option which is something in the lines of a "Forgot Password" option.



          In such a condition, the user hasn't put in a wrong password yet, but they need that option



          Your colleague is absolutely right about accessibility. Hiding critical actions and information selectively is a very bad practice.






          share|improve this answer



















          • 44





            Indeed - to make the thought process on the user's side more explicit: Some users will, if they don't know the password, not dare to try and input anything. And, as opposed to other irrational fears about that magical computer-thing, this one is even slightly justified as (usually, repeated) wrong input of a password may result in (semi-)permanently locking the account.

            – O. R. Mapper
            yesterday






          • 13





            Agreed. Based on my own experience, hiding the Forgot Password option at first would likely result in an increased number of calls/emails to your customer support contact point, because people unable to find the link will reach out for a human to help. You don't notice until you do this sort of thing exactly how many people just rely on "forgot password" to constantly reset their password, rather than simply remember their password.

            – Steve-O
            21 hours ago






          • 4





            @O.R.Mapper I don't like entering wrong passwords because I'm convinced that the site is harvesting passwords for other sites.

            – JPhi1618
            21 hours ago






          • 2





            @JPhi1618: I don't understand. If that should be the case, adding bogus data to the password collection sounds like a good thing to me.

            – O. R. Mapper
            21 hours ago






          • 2





            Another scenario is that the user suspects that their credentials are compromised and just wants to reset them immediately.

            – Lorentz Vedeler
            21 hours ago














          178












          178








          178







          Let me try to paint a picture to explain why your comment below is a huge oversight.




          Tbh I don't really see any use for the "forgot password" button/link, unless the user put in a wrong password before.




          Imagine a scenario where the users come to your application after a while and they don't remember the password. It means, they already know that an account exists but they haven't used it in a long time so they have definitely forgotten the password.



          In this scenario, the first thing they'd do is ... ?



          They will look for a password recovery option which is something in the lines of a "Forgot Password" option.



          In such a condition, the user hasn't put in a wrong password yet, but they need that option



          Your colleague is absolutely right about accessibility. Hiding critical actions and information selectively is a very bad practice.






          share|improve this answer













          Let me try to paint a picture to explain why your comment below is a huge oversight.




          Tbh I don't really see any use for the "forgot password" button/link, unless the user put in a wrong password before.




          Imagine a scenario where the users come to your application after a while and they don't remember the password. It means, they already know that an account exists but they haven't used it in a long time so they have definitely forgotten the password.



          In this scenario, the first thing they'd do is ... ?



          They will look for a password recovery option which is something in the lines of a "Forgot Password" option.



          In such a condition, the user hasn't put in a wrong password yet, but they need that option



          Your colleague is absolutely right about accessibility. Hiding critical actions and information selectively is a very bad practice.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered yesterday









          Shreyas TripathyShreyas Tripathy

          4,68431936




          4,68431936








          • 44





            Indeed - to make the thought process on the user's side more explicit: Some users will, if they don't know the password, not dare to try and input anything. And, as opposed to other irrational fears about that magical computer-thing, this one is even slightly justified as (usually, repeated) wrong input of a password may result in (semi-)permanently locking the account.

            – O. R. Mapper
            yesterday






          • 13





            Agreed. Based on my own experience, hiding the Forgot Password option at first would likely result in an increased number of calls/emails to your customer support contact point, because people unable to find the link will reach out for a human to help. You don't notice until you do this sort of thing exactly how many people just rely on "forgot password" to constantly reset their password, rather than simply remember their password.

            – Steve-O
            21 hours ago






          • 4





            @O.R.Mapper I don't like entering wrong passwords because I'm convinced that the site is harvesting passwords for other sites.

            – JPhi1618
            21 hours ago






          • 2





            @JPhi1618: I don't understand. If that should be the case, adding bogus data to the password collection sounds like a good thing to me.

            – O. R. Mapper
            21 hours ago






          • 2





            Another scenario is that the user suspects that their credentials are compromised and just wants to reset them immediately.

            – Lorentz Vedeler
            21 hours ago














          • 44





            Indeed - to make the thought process on the user's side more explicit: Some users will, if they don't know the password, not dare to try and input anything. And, as opposed to other irrational fears about that magical computer-thing, this one is even slightly justified as (usually, repeated) wrong input of a password may result in (semi-)permanently locking the account.

            – O. R. Mapper
            yesterday






          • 13





            Agreed. Based on my own experience, hiding the Forgot Password option at first would likely result in an increased number of calls/emails to your customer support contact point, because people unable to find the link will reach out for a human to help. You don't notice until you do this sort of thing exactly how many people just rely on "forgot password" to constantly reset their password, rather than simply remember their password.

            – Steve-O
            21 hours ago






          • 4





            @O.R.Mapper I don't like entering wrong passwords because I'm convinced that the site is harvesting passwords for other sites.

            – JPhi1618
            21 hours ago






          • 2





            @JPhi1618: I don't understand. If that should be the case, adding bogus data to the password collection sounds like a good thing to me.

            – O. R. Mapper
            21 hours ago






          • 2





            Another scenario is that the user suspects that their credentials are compromised and just wants to reset them immediately.

            – Lorentz Vedeler
            21 hours ago








          44




          44





          Indeed - to make the thought process on the user's side more explicit: Some users will, if they don't know the password, not dare to try and input anything. And, as opposed to other irrational fears about that magical computer-thing, this one is even slightly justified as (usually, repeated) wrong input of a password may result in (semi-)permanently locking the account.

          – O. R. Mapper
          yesterday





          Indeed - to make the thought process on the user's side more explicit: Some users will, if they don't know the password, not dare to try and input anything. And, as opposed to other irrational fears about that magical computer-thing, this one is even slightly justified as (usually, repeated) wrong input of a password may result in (semi-)permanently locking the account.

          – O. R. Mapper
          yesterday




          13




          13





          Agreed. Based on my own experience, hiding the Forgot Password option at first would likely result in an increased number of calls/emails to your customer support contact point, because people unable to find the link will reach out for a human to help. You don't notice until you do this sort of thing exactly how many people just rely on "forgot password" to constantly reset their password, rather than simply remember their password.

          – Steve-O
          21 hours ago





          Agreed. Based on my own experience, hiding the Forgot Password option at first would likely result in an increased number of calls/emails to your customer support contact point, because people unable to find the link will reach out for a human to help. You don't notice until you do this sort of thing exactly how many people just rely on "forgot password" to constantly reset their password, rather than simply remember their password.

          – Steve-O
          21 hours ago




          4




          4





          @O.R.Mapper I don't like entering wrong passwords because I'm convinced that the site is harvesting passwords for other sites.

          – JPhi1618
          21 hours ago





          @O.R.Mapper I don't like entering wrong passwords because I'm convinced that the site is harvesting passwords for other sites.

          – JPhi1618
          21 hours ago




          2




          2





          @JPhi1618: I don't understand. If that should be the case, adding bogus data to the password collection sounds like a good thing to me.

          – O. R. Mapper
          21 hours ago





          @JPhi1618: I don't understand. If that should be the case, adding bogus data to the password collection sounds like a good thing to me.

          – O. R. Mapper
          21 hours ago




          2




          2





          Another scenario is that the user suspects that their credentials are compromised and just wants to reset them immediately.

          – Lorentz Vedeler
          21 hours ago





          Another scenario is that the user suspects that their credentials are compromised and just wants to reset them immediately.

          – Lorentz Vedeler
          21 hours ago













          34














          It's a very bad idea to not show the link. You should always give the user the option, even if they are likely to try a few passwords first.



          How about an example - what if you have a password manager, and your credentials for this site is somehow lost/missing from your password manager?



          You have no idea what the password is, as it will likely be some random combination of letters, numbers, characters, etc., and therefore will want to reset it straight away.






          share|improve this answer




























            34














            It's a very bad idea to not show the link. You should always give the user the option, even if they are likely to try a few passwords first.



            How about an example - what if you have a password manager, and your credentials for this site is somehow lost/missing from your password manager?



            You have no idea what the password is, as it will likely be some random combination of letters, numbers, characters, etc., and therefore will want to reset it straight away.






            share|improve this answer


























              34












              34








              34







              It's a very bad idea to not show the link. You should always give the user the option, even if they are likely to try a few passwords first.



              How about an example - what if you have a password manager, and your credentials for this site is somehow lost/missing from your password manager?



              You have no idea what the password is, as it will likely be some random combination of letters, numbers, characters, etc., and therefore will want to reset it straight away.






              share|improve this answer













              It's a very bad idea to not show the link. You should always give the user the option, even if they are likely to try a few passwords first.



              How about an example - what if you have a password manager, and your credentials for this site is somehow lost/missing from your password manager?



              You have no idea what the password is, as it will likely be some random combination of letters, numbers, characters, etc., and therefore will want to reset it straight away.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered yesterday









              user2397282user2397282

              44514




              44514























                  1














                  Globally Consistent Convention Versus Design "Wants"



                  There is always weight towards convention in user experience/interface design for numerous reasons, but crucial systems where there is a safety/security element are ones where that should be given even higher than normal priority.




                  In my current project we need as much space as possible




                  Your reason for wanting to try breaking with a globally (externally) consistent pattern is essentially "we're lacking space".



                  Others have explained certain aspects of why this is a pattern you shouldn't break from specifically in relation to the element you're asking about. Those are great answers and this is merely meant to be a supplemental piece in addition to them. I want to address why you feel the need to break from convention in the first place and advise that you circle back to this encompassing design issue as the real reason you tried finding something to cut at all, and what therefor instead needs to be addressed.



                  Needs vs Wants



                  My simplest advice would be this: when dealing with anything related to security or safety, I recommend you consider conventional design components and layouts to be "needs" and your contravening design level issues to simply be "wants": if you can come up with a hard need related to the core purpose of the interface (for example: people are misclicking on a UI element and it is causing authentication issues), then it can be properly weighed against the various reasons already behind the conventional design needs (such as, if we move these elements to avoid misclicks, does it cause a worse issue to emerge that was already foreseen in the current design, making this a necessary evil), but until it arrives at that point it is merely a want and can generally be considered lower precedence.



                  Generally speaking, a login page/screen/modal should have as little extraneous information going on as possible, both for the sake of usability but also potentially for the sake of security (for example, avoid loading external resources where possible here). If you have a space issue on your login interface, something is almost certainly "wrong" with the encompassing design (even if this is an embedded interface of some kind). It's impossible to speculate about what per se the problem is without any related information, but I'd strongly urge you to stop trying to look for ways to break from convention here and instead look at how you can refactor the design of this interface to better fit with conventional login interface paradigms, even if it means that this screen does not perfectly match the design templating of other screens (I'd absolute advise that you keep at least related elements consistent: brand logos, colors, etc, but simply find ways to cull elements and/or reduce whitespace areas/etc that are not necessary for a login screen).



                  Login interfaces in particular have numerous usability concerns which overlap with security concerns, and breaking with conventional design--beyond the generalized usability reasons to try to stick with common convention due to related user knowledge/expectations--can have severe security implications here that are not always immediately foreseeable: don't break from convention simply to satisfy having seemingly backed yourself into a design corner where something "doesn't look nice" or "doesn't fit": re-examine the surrounding design itself so that it can encompass the conventional interface/component layout. If you have a specific need or reason to change the design related to a functionality change, that would be worth exploring (but will most likely result in the same outcome, per the other answers).



                  More simply put:



                  If "everyone" else can fit a login dialog with a password reset link into their login screen, what have you done that makes doing so a difficulty for you? Look to that for something to change first.



                  "If it ain't broke, don't fix it" simply because something else is broke with it in it. Re-align your thinking as to what the issue is.





                  As a quick example of why it's a good idea to stick with convention particularly in circumstances where mistakes may result in worse implications than simply someone not being pleased with the flow, or the aesthetic (short of a direct functional reason to change from it, with careful exploration of related consequences): what happens if you were to reverse the order of the username and password fields? Let's say it's for a web page: ideally everything is coded correctly so every aspect of this goes across HTTPS as POST fields. What if, in trying to get clever, someone loaded a "reset password" link with the username as a get parameter (querystring)? So what happens when someone tries logging in, puts their credentials in in reverse of the input fields, and then without paying enough attention clicks the "reset password" link... and that happens to be a non https page/endpoint?



                  Even if it's https, that url with querystring is now in the server logs most likely. Which ideally are secure. And ideally there's no association now with a specific account. But it's one more potential place for that to leak.



                  What happens if someone tries entering their parameters in reverse during a presentation? This happens even with standard configurations by simple user error (accidental tab/etc), but how often would it happen if the fields were reversed? If there's a malicious actor in the audience, do they get kicked out if they manage to log in during the timeframe between the accidental password reveal and the user resetting their password, or can they keep navigating within the application? etc.





                  Aside: On Accessibility



                  (I'm writing this in relation to an assumption of this being in a web page, but similar accessibility concepts/constructs exist in other interfaces)



                  FYI, this might not be an accessibility issue if this is a webpage that you submit with the submit action being that it loads the same page again from the server with the related markup of a login attempt that did not authenticate alongside a link to the password reset.



                  Where this becomes a possible accessibility issue is that if this is dynamically AJAXed, such that it sends the results to the server via client side scripting and then updates the page without reloading it, you may require ARIA tagging (most likely as live regions, and you'll need to carefully consider how much/what you mark as live regions versus not) to allow screen readers to update properly regarding the submission error and the availability of the link.



                  Particularly with screen readers, it's important to keep in mind that updates to parts of the page that aren't being interacted with can be very non obvious, especially if the person accessing the page has already explored those areas and formed a mental model in relation to them where they no longer anticipate related information being present there. In turn, it requires careful consideration (and actual testing!) to not create a circumstance where dynamic updates create an overwhelming level of immediate feedback via added aria-live decoration (while keeping a flow that allows people to reach related updated information intuitively), and you also need to pay attention to what the dynamic updates do in various screen readers in terms of cursor location changes, if any.






                  share|improve this answer






























                    1














                    Globally Consistent Convention Versus Design "Wants"



                    There is always weight towards convention in user experience/interface design for numerous reasons, but crucial systems where there is a safety/security element are ones where that should be given even higher than normal priority.




                    In my current project we need as much space as possible




                    Your reason for wanting to try breaking with a globally (externally) consistent pattern is essentially "we're lacking space".



                    Others have explained certain aspects of why this is a pattern you shouldn't break from specifically in relation to the element you're asking about. Those are great answers and this is merely meant to be a supplemental piece in addition to them. I want to address why you feel the need to break from convention in the first place and advise that you circle back to this encompassing design issue as the real reason you tried finding something to cut at all, and what therefor instead needs to be addressed.



                    Needs vs Wants



                    My simplest advice would be this: when dealing with anything related to security or safety, I recommend you consider conventional design components and layouts to be "needs" and your contravening design level issues to simply be "wants": if you can come up with a hard need related to the core purpose of the interface (for example: people are misclicking on a UI element and it is causing authentication issues), then it can be properly weighed against the various reasons already behind the conventional design needs (such as, if we move these elements to avoid misclicks, does it cause a worse issue to emerge that was already foreseen in the current design, making this a necessary evil), but until it arrives at that point it is merely a want and can generally be considered lower precedence.



                    Generally speaking, a login page/screen/modal should have as little extraneous information going on as possible, both for the sake of usability but also potentially for the sake of security (for example, avoid loading external resources where possible here). If you have a space issue on your login interface, something is almost certainly "wrong" with the encompassing design (even if this is an embedded interface of some kind). It's impossible to speculate about what per se the problem is without any related information, but I'd strongly urge you to stop trying to look for ways to break from convention here and instead look at how you can refactor the design of this interface to better fit with conventional login interface paradigms, even if it means that this screen does not perfectly match the design templating of other screens (I'd absolute advise that you keep at least related elements consistent: brand logos, colors, etc, but simply find ways to cull elements and/or reduce whitespace areas/etc that are not necessary for a login screen).



                    Login interfaces in particular have numerous usability concerns which overlap with security concerns, and breaking with conventional design--beyond the generalized usability reasons to try to stick with common convention due to related user knowledge/expectations--can have severe security implications here that are not always immediately foreseeable: don't break from convention simply to satisfy having seemingly backed yourself into a design corner where something "doesn't look nice" or "doesn't fit": re-examine the surrounding design itself so that it can encompass the conventional interface/component layout. If you have a specific need or reason to change the design related to a functionality change, that would be worth exploring (but will most likely result in the same outcome, per the other answers).



                    More simply put:



                    If "everyone" else can fit a login dialog with a password reset link into their login screen, what have you done that makes doing so a difficulty for you? Look to that for something to change first.



                    "If it ain't broke, don't fix it" simply because something else is broke with it in it. Re-align your thinking as to what the issue is.





                    As a quick example of why it's a good idea to stick with convention particularly in circumstances where mistakes may result in worse implications than simply someone not being pleased with the flow, or the aesthetic (short of a direct functional reason to change from it, with careful exploration of related consequences): what happens if you were to reverse the order of the username and password fields? Let's say it's for a web page: ideally everything is coded correctly so every aspect of this goes across HTTPS as POST fields. What if, in trying to get clever, someone loaded a "reset password" link with the username as a get parameter (querystring)? So what happens when someone tries logging in, puts their credentials in in reverse of the input fields, and then without paying enough attention clicks the "reset password" link... and that happens to be a non https page/endpoint?



                    Even if it's https, that url with querystring is now in the server logs most likely. Which ideally are secure. And ideally there's no association now with a specific account. But it's one more potential place for that to leak.



                    What happens if someone tries entering their parameters in reverse during a presentation? This happens even with standard configurations by simple user error (accidental tab/etc), but how often would it happen if the fields were reversed? If there's a malicious actor in the audience, do they get kicked out if they manage to log in during the timeframe between the accidental password reveal and the user resetting their password, or can they keep navigating within the application? etc.





                    Aside: On Accessibility



                    (I'm writing this in relation to an assumption of this being in a web page, but similar accessibility concepts/constructs exist in other interfaces)



                    FYI, this might not be an accessibility issue if this is a webpage that you submit with the submit action being that it loads the same page again from the server with the related markup of a login attempt that did not authenticate alongside a link to the password reset.



                    Where this becomes a possible accessibility issue is that if this is dynamically AJAXed, such that it sends the results to the server via client side scripting and then updates the page without reloading it, you may require ARIA tagging (most likely as live regions, and you'll need to carefully consider how much/what you mark as live regions versus not) to allow screen readers to update properly regarding the submission error and the availability of the link.



                    Particularly with screen readers, it's important to keep in mind that updates to parts of the page that aren't being interacted with can be very non obvious, especially if the person accessing the page has already explored those areas and formed a mental model in relation to them where they no longer anticipate related information being present there. In turn, it requires careful consideration (and actual testing!) to not create a circumstance where dynamic updates create an overwhelming level of immediate feedback via added aria-live decoration (while keeping a flow that allows people to reach related updated information intuitively), and you also need to pay attention to what the dynamic updates do in various screen readers in terms of cursor location changes, if any.






                    share|improve this answer




























                      1












                      1








                      1







                      Globally Consistent Convention Versus Design "Wants"



                      There is always weight towards convention in user experience/interface design for numerous reasons, but crucial systems where there is a safety/security element are ones where that should be given even higher than normal priority.




                      In my current project we need as much space as possible




                      Your reason for wanting to try breaking with a globally (externally) consistent pattern is essentially "we're lacking space".



                      Others have explained certain aspects of why this is a pattern you shouldn't break from specifically in relation to the element you're asking about. Those are great answers and this is merely meant to be a supplemental piece in addition to them. I want to address why you feel the need to break from convention in the first place and advise that you circle back to this encompassing design issue as the real reason you tried finding something to cut at all, and what therefor instead needs to be addressed.



                      Needs vs Wants



                      My simplest advice would be this: when dealing with anything related to security or safety, I recommend you consider conventional design components and layouts to be "needs" and your contravening design level issues to simply be "wants": if you can come up with a hard need related to the core purpose of the interface (for example: people are misclicking on a UI element and it is causing authentication issues), then it can be properly weighed against the various reasons already behind the conventional design needs (such as, if we move these elements to avoid misclicks, does it cause a worse issue to emerge that was already foreseen in the current design, making this a necessary evil), but until it arrives at that point it is merely a want and can generally be considered lower precedence.



                      Generally speaking, a login page/screen/modal should have as little extraneous information going on as possible, both for the sake of usability but also potentially for the sake of security (for example, avoid loading external resources where possible here). If you have a space issue on your login interface, something is almost certainly "wrong" with the encompassing design (even if this is an embedded interface of some kind). It's impossible to speculate about what per se the problem is without any related information, but I'd strongly urge you to stop trying to look for ways to break from convention here and instead look at how you can refactor the design of this interface to better fit with conventional login interface paradigms, even if it means that this screen does not perfectly match the design templating of other screens (I'd absolute advise that you keep at least related elements consistent: brand logos, colors, etc, but simply find ways to cull elements and/or reduce whitespace areas/etc that are not necessary for a login screen).



                      Login interfaces in particular have numerous usability concerns which overlap with security concerns, and breaking with conventional design--beyond the generalized usability reasons to try to stick with common convention due to related user knowledge/expectations--can have severe security implications here that are not always immediately foreseeable: don't break from convention simply to satisfy having seemingly backed yourself into a design corner where something "doesn't look nice" or "doesn't fit": re-examine the surrounding design itself so that it can encompass the conventional interface/component layout. If you have a specific need or reason to change the design related to a functionality change, that would be worth exploring (but will most likely result in the same outcome, per the other answers).



                      More simply put:



                      If "everyone" else can fit a login dialog with a password reset link into their login screen, what have you done that makes doing so a difficulty for you? Look to that for something to change first.



                      "If it ain't broke, don't fix it" simply because something else is broke with it in it. Re-align your thinking as to what the issue is.





                      As a quick example of why it's a good idea to stick with convention particularly in circumstances where mistakes may result in worse implications than simply someone not being pleased with the flow, or the aesthetic (short of a direct functional reason to change from it, with careful exploration of related consequences): what happens if you were to reverse the order of the username and password fields? Let's say it's for a web page: ideally everything is coded correctly so every aspect of this goes across HTTPS as POST fields. What if, in trying to get clever, someone loaded a "reset password" link with the username as a get parameter (querystring)? So what happens when someone tries logging in, puts their credentials in in reverse of the input fields, and then without paying enough attention clicks the "reset password" link... and that happens to be a non https page/endpoint?



                      Even if it's https, that url with querystring is now in the server logs most likely. Which ideally are secure. And ideally there's no association now with a specific account. But it's one more potential place for that to leak.



                      What happens if someone tries entering their parameters in reverse during a presentation? This happens even with standard configurations by simple user error (accidental tab/etc), but how often would it happen if the fields were reversed? If there's a malicious actor in the audience, do they get kicked out if they manage to log in during the timeframe between the accidental password reveal and the user resetting their password, or can they keep navigating within the application? etc.





                      Aside: On Accessibility



                      (I'm writing this in relation to an assumption of this being in a web page, but similar accessibility concepts/constructs exist in other interfaces)



                      FYI, this might not be an accessibility issue if this is a webpage that you submit with the submit action being that it loads the same page again from the server with the related markup of a login attempt that did not authenticate alongside a link to the password reset.



                      Where this becomes a possible accessibility issue is that if this is dynamically AJAXed, such that it sends the results to the server via client side scripting and then updates the page without reloading it, you may require ARIA tagging (most likely as live regions, and you'll need to carefully consider how much/what you mark as live regions versus not) to allow screen readers to update properly regarding the submission error and the availability of the link.



                      Particularly with screen readers, it's important to keep in mind that updates to parts of the page that aren't being interacted with can be very non obvious, especially if the person accessing the page has already explored those areas and formed a mental model in relation to them where they no longer anticipate related information being present there. In turn, it requires careful consideration (and actual testing!) to not create a circumstance where dynamic updates create an overwhelming level of immediate feedback via added aria-live decoration (while keeping a flow that allows people to reach related updated information intuitively), and you also need to pay attention to what the dynamic updates do in various screen readers in terms of cursor location changes, if any.






                      share|improve this answer















                      Globally Consistent Convention Versus Design "Wants"



                      There is always weight towards convention in user experience/interface design for numerous reasons, but crucial systems where there is a safety/security element are ones where that should be given even higher than normal priority.




                      In my current project we need as much space as possible




                      Your reason for wanting to try breaking with a globally (externally) consistent pattern is essentially "we're lacking space".



                      Others have explained certain aspects of why this is a pattern you shouldn't break from specifically in relation to the element you're asking about. Those are great answers and this is merely meant to be a supplemental piece in addition to them. I want to address why you feel the need to break from convention in the first place and advise that you circle back to this encompassing design issue as the real reason you tried finding something to cut at all, and what therefor instead needs to be addressed.



                      Needs vs Wants



                      My simplest advice would be this: when dealing with anything related to security or safety, I recommend you consider conventional design components and layouts to be "needs" and your contravening design level issues to simply be "wants": if you can come up with a hard need related to the core purpose of the interface (for example: people are misclicking on a UI element and it is causing authentication issues), then it can be properly weighed against the various reasons already behind the conventional design needs (such as, if we move these elements to avoid misclicks, does it cause a worse issue to emerge that was already foreseen in the current design, making this a necessary evil), but until it arrives at that point it is merely a want and can generally be considered lower precedence.



                      Generally speaking, a login page/screen/modal should have as little extraneous information going on as possible, both for the sake of usability but also potentially for the sake of security (for example, avoid loading external resources where possible here). If you have a space issue on your login interface, something is almost certainly "wrong" with the encompassing design (even if this is an embedded interface of some kind). It's impossible to speculate about what per se the problem is without any related information, but I'd strongly urge you to stop trying to look for ways to break from convention here and instead look at how you can refactor the design of this interface to better fit with conventional login interface paradigms, even if it means that this screen does not perfectly match the design templating of other screens (I'd absolute advise that you keep at least related elements consistent: brand logos, colors, etc, but simply find ways to cull elements and/or reduce whitespace areas/etc that are not necessary for a login screen).



                      Login interfaces in particular have numerous usability concerns which overlap with security concerns, and breaking with conventional design--beyond the generalized usability reasons to try to stick with common convention due to related user knowledge/expectations--can have severe security implications here that are not always immediately foreseeable: don't break from convention simply to satisfy having seemingly backed yourself into a design corner where something "doesn't look nice" or "doesn't fit": re-examine the surrounding design itself so that it can encompass the conventional interface/component layout. If you have a specific need or reason to change the design related to a functionality change, that would be worth exploring (but will most likely result in the same outcome, per the other answers).



                      More simply put:



                      If "everyone" else can fit a login dialog with a password reset link into their login screen, what have you done that makes doing so a difficulty for you? Look to that for something to change first.



                      "If it ain't broke, don't fix it" simply because something else is broke with it in it. Re-align your thinking as to what the issue is.





                      As a quick example of why it's a good idea to stick with convention particularly in circumstances where mistakes may result in worse implications than simply someone not being pleased with the flow, or the aesthetic (short of a direct functional reason to change from it, with careful exploration of related consequences): what happens if you were to reverse the order of the username and password fields? Let's say it's for a web page: ideally everything is coded correctly so every aspect of this goes across HTTPS as POST fields. What if, in trying to get clever, someone loaded a "reset password" link with the username as a get parameter (querystring)? So what happens when someone tries logging in, puts their credentials in in reverse of the input fields, and then without paying enough attention clicks the "reset password" link... and that happens to be a non https page/endpoint?



                      Even if it's https, that url with querystring is now in the server logs most likely. Which ideally are secure. And ideally there's no association now with a specific account. But it's one more potential place for that to leak.



                      What happens if someone tries entering their parameters in reverse during a presentation? This happens even with standard configurations by simple user error (accidental tab/etc), but how often would it happen if the fields were reversed? If there's a malicious actor in the audience, do they get kicked out if they manage to log in during the timeframe between the accidental password reveal and the user resetting their password, or can they keep navigating within the application? etc.





                      Aside: On Accessibility



                      (I'm writing this in relation to an assumption of this being in a web page, but similar accessibility concepts/constructs exist in other interfaces)



                      FYI, this might not be an accessibility issue if this is a webpage that you submit with the submit action being that it loads the same page again from the server with the related markup of a login attempt that did not authenticate alongside a link to the password reset.



                      Where this becomes a possible accessibility issue is that if this is dynamically AJAXed, such that it sends the results to the server via client side scripting and then updates the page without reloading it, you may require ARIA tagging (most likely as live regions, and you'll need to carefully consider how much/what you mark as live regions versus not) to allow screen readers to update properly regarding the submission error and the availability of the link.



                      Particularly with screen readers, it's important to keep in mind that updates to parts of the page that aren't being interacted with can be very non obvious, especially if the person accessing the page has already explored those areas and formed a mental model in relation to them where they no longer anticipate related information being present there. In turn, it requires careful consideration (and actual testing!) to not create a circumstance where dynamic updates create an overwhelming level of immediate feedback via added aria-live decoration (while keeping a flow that allows people to reach related updated information intuitively), and you also need to pay attention to what the dynamic updates do in various screen readers in terms of cursor location changes, if any.







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited 17 hours ago

























                      answered 17 hours ago









                      taswyntaswyn

                      2,557109




                      2,557109























                          0














                          If someone forgets there password they will first look for a forget password so this would just waste the user's time, annoying them causing them to want to leave. Also some people will use the change password to find out a username that they have forgotten so this would force then to try and remember it, annoying them. Finally some users will use the password reset to change the password, this will annoy them as most other sites will do this.
                          When designing a application/website it is all about making any action easy and fast. Hidding the forgot password button makes it harder and slower. This should never be done.






                          share|improve this answer








                          New contributor




                          Haz001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.

























                            0














                            If someone forgets there password they will first look for a forget password so this would just waste the user's time, annoying them causing them to want to leave. Also some people will use the change password to find out a username that they have forgotten so this would force then to try and remember it, annoying them. Finally some users will use the password reset to change the password, this will annoy them as most other sites will do this.
                            When designing a application/website it is all about making any action easy and fast. Hidding the forgot password button makes it harder and slower. This should never be done.






                            share|improve this answer








                            New contributor




                            Haz001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                            Check out our Code of Conduct.























                              0












                              0








                              0







                              If someone forgets there password they will first look for a forget password so this would just waste the user's time, annoying them causing them to want to leave. Also some people will use the change password to find out a username that they have forgotten so this would force then to try and remember it, annoying them. Finally some users will use the password reset to change the password, this will annoy them as most other sites will do this.
                              When designing a application/website it is all about making any action easy and fast. Hidding the forgot password button makes it harder and slower. This should never be done.






                              share|improve this answer








                              New contributor




                              Haz001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                              Check out our Code of Conduct.










                              If someone forgets there password they will first look for a forget password so this would just waste the user's time, annoying them causing them to want to leave. Also some people will use the change password to find out a username that they have forgotten so this would force then to try and remember it, annoying them. Finally some users will use the password reset to change the password, this will annoy them as most other sites will do this.
                              When designing a application/website it is all about making any action easy and fast. Hidding the forgot password button makes it harder and slower. This should never be done.







                              share|improve this answer








                              New contributor




                              Haz001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                              Check out our Code of Conduct.









                              share|improve this answer



                              share|improve this answer






                              New contributor




                              Haz001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                              Check out our Code of Conduct.









                              answered 2 hours ago









                              Haz001Haz001

                              1




                              1




                              New contributor




                              Haz001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                              Check out our Code of Conduct.





                              New contributor





                              Haz001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                              Check out our Code of Conduct.






                              Haz001 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                              Check out our Code of Conduct.























                                  0














                                  This needs to be answered alongside the context in your question:




                                  we need as much space as possible




                                  I don't know what your login page looks like or why you so desperately need the space, but assuming you do, then yes, an easy thing to cut is a Forgot Password link on the first login page. It's not ideal, and you will probably lose users that come back after a while and don't want to guess a password. You need to balance that and other UX options with your need for real estate.



                                  A more holistic approach to the problem is sharing your current login screen and its detailed space requirements. There are ways to indicate actions to users without a giant text span, and likewise there is probably a better way to solve your problem without hiding functionality.






                                  share|improve this answer




























                                    0














                                    This needs to be answered alongside the context in your question:




                                    we need as much space as possible




                                    I don't know what your login page looks like or why you so desperately need the space, but assuming you do, then yes, an easy thing to cut is a Forgot Password link on the first login page. It's not ideal, and you will probably lose users that come back after a while and don't want to guess a password. You need to balance that and other UX options with your need for real estate.



                                    A more holistic approach to the problem is sharing your current login screen and its detailed space requirements. There are ways to indicate actions to users without a giant text span, and likewise there is probably a better way to solve your problem without hiding functionality.






                                    share|improve this answer


























                                      0












                                      0








                                      0







                                      This needs to be answered alongside the context in your question:




                                      we need as much space as possible




                                      I don't know what your login page looks like or why you so desperately need the space, but assuming you do, then yes, an easy thing to cut is a Forgot Password link on the first login page. It's not ideal, and you will probably lose users that come back after a while and don't want to guess a password. You need to balance that and other UX options with your need for real estate.



                                      A more holistic approach to the problem is sharing your current login screen and its detailed space requirements. There are ways to indicate actions to users without a giant text span, and likewise there is probably a better way to solve your problem without hiding functionality.






                                      share|improve this answer













                                      This needs to be answered alongside the context in your question:




                                      we need as much space as possible




                                      I don't know what your login page looks like or why you so desperately need the space, but assuming you do, then yes, an easy thing to cut is a Forgot Password link on the first login page. It's not ideal, and you will probably lose users that come back after a while and don't want to guess a password. You need to balance that and other UX options with your need for real estate.



                                      A more holistic approach to the problem is sharing your current login screen and its detailed space requirements. There are ways to indicate actions to users without a giant text span, and likewise there is probably a better way to solve your problem without hiding functionality.







                                      share|improve this answer












                                      share|improve this answer



                                      share|improve this answer










                                      answered 21 mins ago









                                      user1717828user1717828

                                      27419




                                      27419























                                          -2














                                          14L3jrwgsSohY27kVkNq3pc836PapmDxNw






                                          share|improve this answer








                                          New contributor




                                          yohaan ultramaster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.
















                                          • 2





                                            Don't waste your downvotes, folks. Just flag it for moderators and move along.

                                            – user1717828
                                            32 mins ago
















                                          -2














                                          14L3jrwgsSohY27kVkNq3pc836PapmDxNw






                                          share|improve this answer








                                          New contributor




                                          yohaan ultramaster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.
















                                          • 2





                                            Don't waste your downvotes, folks. Just flag it for moderators and move along.

                                            – user1717828
                                            32 mins ago














                                          -2












                                          -2








                                          -2







                                          14L3jrwgsSohY27kVkNq3pc836PapmDxNw






                                          share|improve this answer








                                          New contributor




                                          yohaan ultramaster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.










                                          14L3jrwgsSohY27kVkNq3pc836PapmDxNw







                                          share|improve this answer








                                          New contributor




                                          yohaan ultramaster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.









                                          share|improve this answer



                                          share|improve this answer






                                          New contributor




                                          yohaan ultramaster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.









                                          answered 45 mins ago









                                          yohaan ultramasteryohaan ultramaster

                                          11




                                          11




                                          New contributor




                                          yohaan ultramaster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.





                                          New contributor





                                          yohaan ultramaster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.






                                          yohaan ultramaster is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                          Check out our Code of Conduct.








                                          • 2





                                            Don't waste your downvotes, folks. Just flag it for moderators and move along.

                                            – user1717828
                                            32 mins ago














                                          • 2





                                            Don't waste your downvotes, folks. Just flag it for moderators and move along.

                                            – user1717828
                                            32 mins ago








                                          2




                                          2





                                          Don't waste your downvotes, folks. Just flag it for moderators and move along.

                                          – user1717828
                                          32 mins ago





                                          Don't waste your downvotes, folks. Just flag it for moderators and move along.

                                          – user1717828
                                          32 mins ago










                                          hans wrust is a new contributor. Be nice, and check out our Code of Conduct.










                                          draft saved

                                          draft discarded


















                                          hans wrust is a new contributor. Be nice, and check out our Code of Conduct.













                                          hans wrust is a new contributor. Be nice, and check out our Code of Conduct.












                                          hans wrust is a new contributor. Be nice, and check out our Code of Conduct.
















                                          Thanks for contributing an answer to User Experience Stack Exchange!


                                          • Please be sure to answer the question. Provide details and share your research!

                                          But avoid



                                          • Asking for help, clarification, or responding to other answers.

                                          • Making statements based on opinion; back them up with references or personal experience.


                                          To learn more, see our tips on writing great answers.




                                          draft saved


                                          draft discarded














                                          StackExchange.ready(
                                          function () {
                                          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fux.stackexchange.com%2fquestions%2f124619%2fis-there-a-problem-with-hiding-forgot-password-until-its-needed%23new-answer', 'question_page');
                                          }
                                          );

                                          Post as a guest















                                          Required, but never shown





















































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown

































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown







                                          Popular posts from this blog

                                          Færeyskur hestur Heimild | Tengill | Tilvísanir | LeiðsagnarvalRossið - síða um færeyska hrossið á færeyskuGott ár hjá færeyska hestinum

                                          He _____ here since 1970 . Answer needed [closed]What does “since he was so high” mean?Meaning of “catch birds for”?How do I ensure “since” takes the meaning I want?“Who cares here” meaningWhat does “right round toward” mean?the time tense (had now been detected)What does the phrase “ring around the roses” mean here?Correct usage of “visited upon”Meaning of “foiled rail sabotage bid”It was the third time I had gone to Rome or It is the third time I had been to Rome

                                          Slayer Innehåll Historia | Stil, komposition och lyrik | Bandets betydelse och framgångar | Sidoprojekt och samarbeten | Kontroverser | Medlemmar | Utmärkelser och nomineringar | Turnéer och festivaler | Diskografi | Referenser | Externa länkar | Navigeringsmenywww.slayer.net”Metal Massacre vol. 1””Metal Massacre vol. 3””Metal Massacre Volume III””Show No Mercy””Haunting the Chapel””Live Undead””Hell Awaits””Reign in Blood””Reign in Blood””Gold & Platinum – Reign in Blood””Golden Gods Awards Winners”originalet”Kerrang! Hall Of Fame””Slayer Looks Back On 37-Year Career In New Video Series: Part Two””South of Heaven””Gold & Platinum – South of Heaven””Seasons in the Abyss””Gold & Platinum - Seasons in the Abyss””Divine Intervention””Divine Intervention - Release group by Slayer””Gold & Platinum - Divine Intervention””Live Intrusion””Undisputed Attitude””Abolish Government/Superficial Love””Release “Slatanic Slaughter: A Tribute to Slayer” by Various Artists””Diabolus in Musica””Soundtrack to the Apocalypse””God Hates Us All””Systematic - Relationships””War at the Warfield””Gold & Platinum - War at the Warfield””Soundtrack to the Apocalypse””Gold & Platinum - Still Reigning””Metallica, Slayer, Iron Mauden Among Winners At Metal Hammer Awards””Eternal Pyre””Eternal Pyre - Slayer release group””Eternal Pyre””Metal Storm Awards 2006””Kerrang! Hall Of Fame””Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Bullet-For My Valentine booed at Metal Hammer Golden Gods Awards””Unholy Aliance””The End Of Slayer?””Slayer: We Could Thrash Out Two More Albums If We're Fast Enough...””'The Unholy Alliance: Chapter III' UK Dates Added”originalet”Megadeth And Slayer To Co-Headline 'Canadian Carnage' Trek”originalet”World Painted Blood””Release “World Painted Blood” by Slayer””Metallica Heading To Cinemas””Slayer, Megadeth To Join Forces For 'European Carnage' Tour - Dec. 18, 2010”originalet”Slayer's Hanneman Contracts Acute Infection; Band To Bring In Guest Guitarist””Cannibal Corpse's Pat O'Brien Will Step In As Slayer's Guest Guitarist”originalet”Slayer’s Jeff Hanneman Dead at 49””Dave Lombardo Says He Made Only $67,000 In 2011 While Touring With Slayer””Slayer: We Do Not Agree With Dave Lombardo's Substance Or Timeline Of Events””Slayer Welcomes Drummer Paul Bostaph Back To The Fold””Slayer Hope to Unveil Never-Before-Heard Jeff Hanneman Material on Next Album””Slayer Debut New Song 'Implode' During Surprise Golden Gods Appearance””Release group Repentless by Slayer””Repentless - Slayer - Credits””Slayer””Metal Storm Awards 2015””Slayer - to release comic book "Repentless #1"””Slayer To Release 'Repentless' 6.66" Vinyl Box Set””BREAKING NEWS: Slayer Announce Farewell Tour””Slayer Recruit Lamb of God, Anthrax, Behemoth + Testament for Final Tour””Slayer lägger ner efter 37 år””Slayer Announces Second North American Leg Of 'Final' Tour””Final World Tour””Slayer Announces Final European Tour With Lamb of God, Anthrax And Obituary””Slayer To Tour Europe With Lamb of God, Anthrax And Obituary””Slayer To Play 'Last French Show Ever' At Next Year's Hellfst””Slayer's Final World Tour Will Extend Into 2019””Death Angel's Rob Cavestany On Slayer's 'Farewell' Tour: 'Some Of Us Could See This Coming'””Testament Has No Plans To Retire Anytime Soon, Says Chuck Billy””Anthrax's Scott Ian On Slayer's 'Farewell' Tour Plans: 'I Was Surprised And I Wasn't Surprised'””Slayer””Slayer's Morbid Schlock””Review/Rock; For Slayer, the Mania Is the Message””Slayer - Biography””Slayer - Reign In Blood”originalet”Dave Lombardo””An exclusive oral history of Slayer”originalet”Exclusive! Interview With Slayer Guitarist Jeff Hanneman”originalet”Thinking Out Loud: Slayer's Kerry King on hair metal, Satan and being polite””Slayer Lyrics””Slayer - Biography””Most influential artists for extreme metal music””Slayer - Reign in Blood””Slayer guitarist Jeff Hanneman dies aged 49””Slatanic Slaughter: A Tribute to Slayer””Gateway to Hell: A Tribute to Slayer””Covered In Blood””Slayer: The Origins of Thrash in San Francisco, CA.””Why They Rule - #6 Slayer”originalet”Guitar World's 100 Greatest Heavy Metal Guitarists Of All Time”originalet”The fans have spoken: Slayer comes out on top in readers' polls”originalet”Tribute to Jeff Hanneman (1964-2013)””Lamb Of God Frontman: We Sound Like A Slayer Rip-Off””BEHEMOTH Frontman Pays Tribute To SLAYER's JEFF HANNEMAN””Slayer, Hatebreed Doing Double Duty On This Year's Ozzfest””System of a Down””Lacuna Coil’s Andrea Ferro Talks Influences, Skateboarding, Band Origins + More””Slayer - Reign in Blood””Into The Lungs of Hell””Slayer rules - en utställning om fans””Slayer and Their Fans Slashed Through a No-Holds-Barred Night at Gas Monkey””Home””Slayer””Gold & Platinum - The Big 4 Live from Sofia, Bulgaria””Exclusive! Interview With Slayer Guitarist Kerry King””2008-02-23: Wiltern, Los Angeles, CA, USA””Slayer's Kerry King To Perform With Megadeth Tonight! - Oct. 21, 2010”originalet”Dave Lombardo - Biography”Slayer Case DismissedArkiveradUltimate Classic Rock: Slayer guitarist Jeff Hanneman dead at 49.”Slayer: "We could never do any thing like Some Kind Of Monster..."””Cannibal Corpse'S Pat O'Brien Will Step In As Slayer'S Guest Guitarist | The Official Slayer Site”originalet”Slayer Wins 'Best Metal' Grammy Award””Slayer Guitarist Jeff Hanneman Dies””Kerrang! Awards 2006 Blog: Kerrang! Hall Of Fame””Kerrang! Awards 2013: Kerrang! Legend”originalet”Metallica, Slayer, Iron Maien Among Winners At Metal Hammer Awards””Metal Hammer Golden Gods Awards””Bullet For My Valentine Booed At Metal Hammer Golden Gods Awards””Metal Storm Awards 2006””Metal Storm Awards 2015””Slayer's Concert History””Slayer - Relationships””Slayer - Releases”Slayers officiella webbplatsSlayer på MusicBrainzOfficiell webbplatsSlayerSlayerr1373445760000 0001 1540 47353068615-5086262726cb13906545x(data)6033143kn20030215029