Drupal's 'Change Password' Problem: What We Can Learn from the Web's Top Sites

Aaron Bauman
Behind the Scenes

Why is it so hard for users to reset their passwords in Drupal? Inspired by a discussion on drupal.org, we took a quick survey of how Alexa's top sites* handle account management, especially around changing passwords.

(Spoiler alert: no one does it like Drupal.)

Account management in Drupal

Before we look at the other services, let's review the default UX for changing a user's password in Drupal.

Some problems:

  • There are a total of 3 password fields on the form, separated by Email address and Username fields.
  • If a user wants to change their password, they must fill out all 3 of these fields, none of which are marked as required with the standard asterisk.
  • If a user wants to change their email address, they must fill out only the "current password" field.
  • If a user wants to change their username, they don't need to enter any password.
  • If you read very closely, all of this is explained in the input field description elements.
  • Lastly, if any other field on this form doesn't pass validation, the user must re-enter as many as 3 passwords each time they try to submit the form.

What the web's top sites do

If we're going to have a conversation about usability, a good place to start is by looking at the companies who employ the foremost usability experts in the world.

Google: Alexa #1 (and #2 Youtube, and #7 Google India, and #10 Google Japan)

Changing a password on one's Google account is anywhere from 2 to 6 screens, depending on one's entry point. I started from gmail:

  • Step 1, go to "My Account":
  • Step 2, click through to "Sign-in & security":
  • Step 3, click through again to "Password":
  • Step 4, re-enter existing password:
  • Finally, on step 5, you can enter your new password (and confirm):

Facebook: Alexa #3

Facebook's password management is more streamlined, but similarly offers a standalone form to change password and only password.

  • Step 1, go to "Settings":
  • Step 2, click "edit" next to password container:
  • Step 3, enter current password, new password, and confirm:

Wikipedia: Alexa #5

  • Step 1, go to "Preferences" and step 2, go to "Change password":
  • Step 3, re-enter current password:
  • Step 4, enter new password and confirm:

Alexa #6: Yahoo

(Yes, I was surprised to see it still in the top 10 too.) Yahoo follows essentially the same pattern as the preceding, except doesn't ask to re-confirm existing password.

  • Step 1, go to "Account info":
  • Step 2, go to "Account security":
  • Step 3, go to "change password":
  • Step 4, enter new password and confirm:

Alexa #8: Amazon

The takeaway: offer a dedicated 'change password' form

Of the 10 platforms surveyed, every single one offers a dedicated form for changing one's account password.

Each service uses its own nomenclature and provides different navigation paths to reach the password form, but none of them combine the password fields with any other forms.

Another takeaway for Message Agency is that we shouldn't hold our breath on the 5+ year old drupal.org issue.

We've always deployed our own in-house solution for our clients to workaround this usability constraint, and Drupal contrib space offers no shortage of solutions. In the meantime, we'll continue to work towards improving Drupal core's password management.


* I skipped #5 Baidu (baidu.com) and #9 Tencent QQ (qq.com) because I don't have a Chinese phone number with which to create an account.

More Blog Posts

  • Design Basics


    Discovery is the phase of the project that takes place before design. Discovery means different things to different agencies and is often misunderstood by clients. So what is it good for?

  • Behind the Scenes

    After several months, hundreds of commits, and lots of new thinking, we’re happy to announce that a release candidate is now available for the Salesforce Suite in Drupal 8. It’s big news for adoption.

  • In the Community
    Watch Aaron Bauman's presentation "Updating Your Modules to Drupal 8: Salesforce Suite," delivered at DrupalCamp NJ 2017!