| UI or UX | UI + UX - New authentication secret selection flow | UI + UX - Authentication secret entry control | UI + UX - Field-level validation feedback | UI + UX - Form recovery summary |
| UI guidance | Render password creation as a labelled new-password field with visible policy guidance, generator and paste compatibility, show and hide control, field-level rejection reasons, and a confirmation state that never displays the accepted secret later. | Render password entry as a labelled password field that is hidden by default, uses the correct autocomplete purpose, offers a clear show and hide control, disables spellcheck and automatic capitalization, and keeps helper and error text connected to the input. | Render a labeled field with hint text, field-adjacent error text, invalid styling, preserved value, and corrected state. | Render a top-of-form summary block with heading, linked error list, and matching field-level error messages. |
| UX guidance | Use password creation when a user is choosing a new reusable secret during registration, password reset, first-time setup, or password change. | Use password input when a user enters an existing secret to sign in, reauthenticate, unlock a protected action, or confirm account ownership. | Help users correct a specific field without losing or re-entering the value they already typed. | Help users recover from one or more submitted-form errors without scanning the entire page. |
| Good UI | A signup form labels the field New password, uses autocomplete new-password, allows password-manager generation, says Use at least 15 characters or a generated password, and rejects Password123 because it is commonly used. | A sign-in form has Email and Password fields, the password field uses autocomplete current-password, a Show button, no spellcheck, and an account-details error after failed login. | Error text appears next to the field with readable spacing, persistent label, hint text, and the invalid value still visible. | Top-of-form summary with a clear heading, linked error list, and matching inline field messages. |
| Bad UI | A form requires one uppercase letter, one lowercase letter, one number, one symbol, no spaces, and a 12-character maximum while still accepting Summer2026! | A login form uses a normal text field named Password and leaves the secret visible on screen. | Only a red border with no message. | Red banner saying fix errors with no links. |
| Good UX | A user accepts a password-manager suggestion, pastes it into the field, sees that it meets length and is not in the blocked list, and continues without retyping it. | A user pastes a generated password from a password manager, toggles Show to inspect one character, hides it again, and signs in without the value appearing later in review or history. | Validation appears after blur or submit when it helps correction. | After failed submit, focus or reading order makes the summary discoverable before users scan the form. |
| Bad UX | A user enters a strong generated password but the site silently cuts it at 16 characters, so the saved password does not match the password manager. | A user cannot paste from a password manager and shortens the password to something easier to type. | Showing errors before users type. | Only showing errors below the fold. |
| Best fit | The user is creating an account with a reusable password. | The user needs to enter an existing password, passphrase, or PIN-like memorized secret. | A single field has a specific correctable problem. | Form submission can produce one or more errors. |
| Avoid when | The user is only entering an existing password to sign in or reauthenticate. | The value is not a secret, such as a name, email address, account number, search query, reference, or ordinary note. | The main recovery task is finding several errors across a submitted page. | A single local field issue can be corrected before submit without page-level orientation. |
| Required state | Initial new-password state with purpose, autocomplete new-password, minimum length, paste support, show and hide control, and no character-class checklist. | Initial hidden state with label, autocomplete purpose, spellcheck off, autocapitalization off, and show control. | Neutral field with label, hint, and no error. | Neutral form before submit with no summary. |
| Accessibility burden | Use a visible label that says New password or Create a password rather than only Password when the user is choosing a new value. | Use a visible label that names the password purpose, such as Password or Current password. | Expose invalid state on the input and connect error text to the field description where possible. | Use a heading and alert behavior that makes the summary discoverable. |
| Common misuse | Using uppercase, lowercase, number, and symbol checklists as the main security signal. | Using type text for passwords. | Showing field errors before users have interacted with the control. | Showing a red banner or toast with no links to the invalid answers. |