During account ‘sign up’, a misspelled password is annoying, whereas a misspelled e-mail address is hazardous.
More and more sites use people’s e-mail address as their “username” too when requiring authentication. This makes a lot of sense: e-mails are unique, you often need it anyways, people have an easier time remembering their e-mail than an arbitrary username, etc.
However, on most of those sign-up forms, I’ve noticed a very peculiar tendency – to the point where it is almost a standard – people are asked to confirm their password but not their e-mail address. To this day this still baffles me – surely getting the e-mail correct is more important than getting the password correct. After all, people can always use the “Forgot password?” feature if they misspelled their password – annoying for sure, but hardly a complete deal breaker to anyone serious about the service.
Imagine for a second that a user misspelled his e-mail during sign up. How can support look up the account if they don’t have the correct e-mail address? And even if they somehow manage to find the misspelled e-mail address, how they can be sure it was misspelled and not just someone else with a very similar e-mail address? In this case letting the user back in will require a lot of work from support to in fact verify ownership of the account.
Of course one of the reasons you often ask for password confirmation is because the input is masked with dots so misspelling it is easy. There are of course many ways to get around this problem (e.g. letting people unmask their password), and I’m not even saying that password confirmation is a bad idea. However, getting the user’s e-mail address is still more important since getting it wrong could potentially cut the user off from his account entirely.
In other words, why would anyone ask people to confirm their password but not their e-mail address? If you want anything confirmed, start with the e-mail. Also want the password confirmed? Fine, although that is a lot of re-typing.
A misspelled password is annoying. A misspelled e-mail address is hazardous.