-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password input #240
Comments
Thanks for sharing this component and adding it to the community backlog @andysellick! The Design System team are currently working through a backlog of contributions, as well as assessing what will be the priority contributions over the next 12 months. We'll be in touch when we can progress this further. In the meantime, teams across government can benefit from the work you have done via this backlog entry. Thanks again! |
Realised I submitted this a while ago and wanted to provide an update. I found out recently that this component is now being used in a number of places by the DI team, who've found it very useful. I'm very happy to progress this, is there any appetite for adding it to the Design System? |
There are some related things happening in the CSS Basic User Interface Module Level 4 spec that are worth being aware of. After a proposal to add a new CSS property However, there's another discussion on whatwg/html which highlights some of the challenges in making that a reality, including a link to an interesting Chromium bug #1016844 where this has previously been tried. Chromium #991878 Also looks like it's worth following. |
Hey @andysellick 👋🏻 Sorry for the long wait for a response. A quick update on this: For our work on the design system accessibility strategy, part of this being to meet WCAG 2.2, we've kept an eye on this component and think it could help us cover criterion 3.3.7. We're basing this on the understanding document and the following paragraph in the 'intent' section:
We're currently working through prior contributions however it's likely we'll pick this up once we start working on WCAG 2.2 compliance in 2023. If you have any questions and/or wanted to discuss this prior to an official kick off of this work, the team would be happy to chat to yourself and any interested parties from One Login (CC @gtvj). |
Thanks @owenatgov that's really great to hear. Totally appreciate how busy you've all been. If there's anything I can do to help this process along at any point please let me know - I'd be very happy to contribute. |
As something not-yet-noted for the record, we may need to ensure that any solution doesn't conflict with password managers (both built-in and third-party ones) which may offer similar functionality or also manipulate the appearance of password inputs. For example, Safari inserts its own button into the input if a password has previously been saved. 1Password, a third-party password manager, does the same. Some versions of Microsoft Edge on Windows also used to have a 'show password' control implemented in the user agent, |
The account and auth teams in Digital Identity are using this component created by @andysellick on our frontends, so as far as we are concerned it would be a useful addition to |
Looking forward to seeing this component in DS. In DWP, our login and identification service allows users to create an account and verifty their identity through HMRC IV. We have done many rounds of user research on our journeys and few users asked why we don't have a mechanism for them to show/hide their password. |
We ran an external accessibility audit for some of the components and patterns in GOV.UK Frontend in May 2023. In that audit, we included an example of the Password component. We’re adding results from that audit here so that we can:
One WCAG AAA issue raisedWhen there's 2+ password fields on a page, the 'show' and 'hide' labels need to be different
More detail in this issue: |
Have been attempting to find some more user research on this component and it is used by the One Login programme in a few places. Making a note of some links here for future refence.
This user research hasn't specifically focussed on the show password component (i.e. users weren't asked directly how they feel about it, although there has been discussion around password managers) but no users mentioned it during research on the pages where it featured. |
Hi, This component should also consider security implications particularly around "spell-jacking" and browser spellcheckers reading passwords. The spellcheck=false should be on the component, but it might also be worth covering implications in any supporting documentation too. |
We’ve started work on this component as part of the WCAG 2.2 work we’re doing. The epic that shows how we’re breaking down the work is here: alphagov/govuk-frontend#4063 |
We've just added some guidance on how to 'share findings about your users' with us 📝. This will help us learn more about how your users show and hide passwords within your service. |
This is similar to MOJ's password reveal component. I'm hoping the MOJ team can share some insights so we can pool those with learnings from GOV.UK Accounts and GOV.UK One Login. |
Just checking in here to see if there is an ETA on this. Also, curious about the feedback on the MOJ's example. Also, since this is a toggle, would be to make sure the confusion described here by Leonie Watson isn't replicated. |
Usefulness of a second password input for confirming a passwordProblems we wanted to solveWhether including a second password field input, also known as a ‘confirm password’ field, is beneficial for users creating a password. What we decidedAfter doing research we decided that having a second field is not helpful for users, particularly on password inputs with show and hide buttons. Our rationaleRetyping a password puts additional cognitive load on a user. They’re required to remember and in some cases input the password in without using the paste function. If the paste function is turned off, this is a fail against WCAG 2.2 success criterion 3.3.8 Accessible Authentication (Minimum). A form builder tool reported that the confirm password field was responsible for over 25% of users that leave a form without completing it. Removing the confirm password field improved completion rates, along with other conversion metrics, with no change in password reset requests. Finally, users can use the password reset function if they are unable to remember their password correctly. Considerations we madeSecurity, recollection and lack of visibility have been the traditionals reasons for having a second password input field. The user might feel more confident by having to type their password twice, as they may be concerned they’ve entered it incorrectly. Users may also use a simpler password in order to assist their recollection and mitigate the chances of them incorrectly entering it. A second password input field can be useful for users to check for mistakes in their password, but only if the user avoids using copy and paste to fill the confirm password field. Users in public settings might not feel comfortable showing their password on the screen, and prefer another method to check the password they’ve entered. However, we felt these scenarios were too specific, especially when there are other things the user can do. If both fields are hidden when entering the password, the user might not know whether they’ve entered the password incorrectly. By allowing users to see their password using the show password input, the user can spot any mistakes and fix them. ResultsWe’d like to establish if our rationale is supported by real life examples, and ask service teams for feedback to see if this is the case. We’re aware that Understanding SC 3.3.8: Accessible Authentication (Minimum) advocates for a show/hide functionality, stating:
However, WCAG does not mention anything on the relationship between having a show and hide functionality along with two password fields. |
Use this issue to discuss this component in the GOV.UK Design System.
Original contribution submission
A 'show password' component. Consists of:
Why
This is a component that has been used successfully on GOV.UK Accounts. The component was created after user research suggested it would be useful, and has since featured in user research sessions. Specifically:
This does not appear to be on the Design System yet and I couldn't see it on the backlog. However showing a password is mentioned on the text input component: https://design-system.service.gov.uk/components/text-input/
Anything else
Current version in use on GOV.UK: https://components.publishing.service.gov.uk/component-guide/show_password
Can't link to the research mentioned above directly but can share on request.
More information about the component: https://technology.blog.gov.uk/2021/04/19/simple-things-are-complicated-making-a-show-password-option/
The text was updated successfully, but these errors were encountered: