By default, the password field is like ordinary textarea. Checking the “Hide my password text—I’m being watched!” checkbox below the password field will make it to become 2 password type field. I like this approach and might use this for my next web applications.

And I’m agree about OpenID usage. I like stackoverflow.com approach. Don’t make user create another username and password to remembered if you don’t have to. Many twitter client application also use twitter’s oAuth for authentication.

Seems that yes, the confirm password field is annoying and not so important for ‘tech savvy’ users (which probably includes everyone that commented). On the other hand, for the non-tech savvy users it gives them assurance and also cuts down mistakes, based on several of your experiences.

Does it depend on your target market then? Let’s say a web app aimed at ‘techies’ or as Sean mentioned those with passwords who ‘can enter blindfolded with both hands tied behind your back’ could do without confirmation but more general apps towards all users should have confirm passwords?

Open ID and other SSO solutions are getting more popular and are potentially the best solution going forward, skipping sign up completely.

Do you think there is some sort of form encoding with a password input form element? As far as the HTTP request being sent, the password and text input types are absolutely identical. Also, as for the browser remembering entered passwords, there are HTML 5 attributes that prevent autocomplete from working that all browsers with that functionality from saving that value. No security hole there either.

That said, even though Jakob Nielsen has suggested it as the best practice to move towards (and I agree completely), there is the user trust factor to take into account. This is why when I convince my clients to go this route, part of the design includes a small link next to the password textbox that states something along the lines of “why is my password shown in plain text?” which pops up a small inline box explaining why it is this way and how there is no security problem while doing so. It is also important to follow Nielsen’s recommendation completely here, which is to include a checkbox to “hide my typing”, which converts the characters to the discs (or anything else, really). With this mechanism, you can even easily do what someone above suggested, which is to mimic what the iPhone does.

What is the best route to take if designing/developing a sign up form?

…

Yes, for the technically savvy, that 5 seconds of repeating a password which you probably can enter blindfolded with both hands tied behind your back may be a nuisance.

But for those who are not you, the confirm password field helps ensure that your users are not making a critical mistake that will immediately prevent them from using your website.

So, 5 seconds of extra typing, or users leaving your website because they cannot get signed in…which is the better end result?