10 bugs I always find in signup flows
The same 10 signup bugs show up in every product I audit. Fix these before your first user hits register.
I've audited over 40 signup flows in the last year. The same bugs come back again and again. Fix these and you'll be ahead of 90% of shipping products.
1. Trimmed email but not password
Users copy-paste their email with a trailing space, then type their password. Signup succeeds. Login fails because the stored email has a space. Fix: trim inputs server-side before comparison.
2. Case-sensitive email
John@example.com and john@example.com create two accounts. Fix: lowercase emails at storage time.
3. Password field doesn't accept paste
Password managers can't fill it. Users give up. Fix: never disable paste on password fields.
4. No feedback while submit is in flight
Users click Register, nothing visibly happens, they click again — two accounts, or a duplicate-email error they don't understand. Fix: disable the button + show a spinner immediately.
5. Server errors surface as "Something went wrong"
Users have no idea if it's their fault (bad password) or yours (server on fire). Fix: map specific errors to specific messages.
6. Email verification link expires but no re-send
User signs up Friday night, opens the email Monday morning, link is dead, no way to get a new one without contacting support. Fix: always show a "Resend verification" option.
7. Password requirements shown only on failure
User types a 6-char password, submits, gets "must be 8+ chars", retypes, gets "must include a number". Fix: show requirements up front, mark them off as they're met.
8. No CAPTCHA / rate limit
Bots create 10,000 accounts before you notice. Fix: invisible CAPTCHA (Cloudflare Turnstile) or rate limit by IP.
9. First-time login redirects to a broken empty state
New user finishes signup, lands on a dashboard with "You have no items" and no clear next action. Fix: design the empty state as a first-time-user tutorial.
10. Logout doesn't clear localStorage / cookies
Next user on shared machine sees the previous user's cached data. Fix: wipe client-side auth state completely on logout.
Want me to check your signup flow? Book a $50 Bug Report Review or a $100 consult.
Need this done for you?
I test web, mobile, and desktop apps for startups. Fixed prices, fast turnaround.
See quick sessions