Drupal's 'Change Password' Problem: What We Can Learn from the Web's Top Sites

Image of a door with a sign reading: Restricted area, Authorized Persons Only
Behind the Scenes

Why is it so hard for users to reset their passwords in Drupal? Inspired by a discussion on drupal.org, we took a quick survey of how Alexa's top sites* handle account management, especially around changing passwords.

(Spoiler alert: no one does it like Drupal.)

Account management in Drupal

Before we look at the other services, let's review the default UX for changing a user's password in Drupal.

Some problems:

  • There are a total of 3 password fields on the form, separated by Email address and Username fields.
  • If a user wants to change their password, they must fill out all 3 of these fields, none of which are marked as required with the standard asterisk.
  • If a user wants to change their email address, they must fill out only the "current password" field.
  • If a user wants to change their username, they don't need to enter any password.
  • If you read very closely, all of this is explained in the input field description elements.
  • Lastly, if any other field on this form doesn't pass validation, the user must re-enter as many as 3 passwords each time they try to submit the form.

What the web's top sites do

If we're going to have a conversation about usability, a good place to start is by looking at the companies who employ the foremost usability experts in the world.

Google: Alexa #1 (and #2 Youtube, and #7 Google India, and #10 Google Japan)

Changing a password on one's Google account is anywhere from 2 to 6 screens, depending on one's entry point. I started from gmail:

  • Step 1, go to "My Account":
  • Step 2, click through to "Sign-in & security":
  • Step 3, click through again to "Password":
  • Step 4, re-enter existing password:
  • Finally, on step 5, you can enter your new password (and confirm):

Facebook: Alexa #3

Facebook's password management is more streamlined, but similarly offers a standalone form to change password and only password.

  • Step 1, go to "Settings":
  • Step 2, click "edit" next to password container:
  • Step 3, enter current password, new password, and confirm:

Wikipedia: Alexa #5

  • Step 1, go to "Preferences" and step 2, go to "Change password":
  • Step 3, re-enter current password:
  • Step 4, enter new password and confirm:

Alexa #6: Yahoo

(Yes, I was surprised to see it still in the top 10 too.) Yahoo follows essentially the same pattern as the preceding, except doesn't ask to re-confirm existing password.

  • Step 1, go to "Account info":
  • Step 2, go to "Account security":
  • Step 3, go to "change password":
  • Step 4, enter new password and confirm:

Alexa #8: Amazon

The takeaway: offer a dedicated 'change password' form

Of the 10 platforms surveyed, every single one offers a dedicated form for changing one's account password.

Each service uses its own nomenclature and provides different navigation paths to reach the password form, but none of them combine the password fields with any other forms.

Another takeaway for Message Agency is that we shouldn't hold our breath on the 5+ year old drupal.org issue.

We've always deployed our own in-house solution for our clients to workaround this usability constraint, and Drupal contrib space offers no shortage of solutions. In the meantime, we'll continue to work towards improving Drupal core's password management.


* I skipped #5 Baidu (baidu.com) and #9 Tencent QQ (qq.com) because I don't have a Chinese phone number with which to create an account.