Forms
Passwords
Use a password entry field when asking users to create an account or log in.
How to ask users to enter a password
Labelling
This should be labelled as ‘Password’ and we should clearly outline password constraints so users know the constraints before they enter a password and not just when an error occurs.
Forgotten passwords
You should help users who have forgotten their password, due to stricter password constraints, passwords that are hard to guess can also be hard to remember.
When helping users who’ve forgotten their password, you should:
Send them a link or code to trigger a password reset.
Avoid password reset questions.
Avoid password reminders.
Don’t
Have too complex password constraints, users may forget their password if it’s too complicated.
Disable paste on password fields. People may have very good reasons why they want to paste their password, for example if they’re using a password manager.
Set a maximum password length.
Allow commonly used passwords.
Have password reset questions.
Have password reminders.
Error states
Example of error state
Please enter a password (If left empty)
Please enter a valid password (If password does not meet requirements)
Further detail
There is a more detailed breakdown of best practice for password entry on the Gov.uk Design System website here.
There is also further information on the UK's National Cyber Security Centre here.
Help improve this page
To help make sure this page is as useful as it can be, relevant and kept up to date with industry best practices, please get in touch to share your research findings, and contribute to this page.
Propose a change or contribution by suggesting a feature request.
Payment/Billing
Use the payment field when the business needs to take payment for a service.
Payment/Billing
Use the payment field when the business needs to take payment for a service.