Testopius
All posts
2026-06-28·5 min read

10 bugs I always find in signup flows

The same 10 signup bugs show up in every product I audit. Fix these before your first user hits register.

bugsauthchecklist

I've audited over 40 signup flows in the last year. The same bugs come back again and again. Fix these and you'll be ahead of 90% of shipping products.

1. Trimmed email but not password

Users copy-paste their email with a trailing space, then type their password. Signup succeeds. Login fails because the stored email has a space. Fix: trim inputs server-side before comparison.

2. Case-sensitive email

John@example.com and john@example.com create two accounts. Fix: lowercase emails at storage time.

3. Password field doesn't accept paste

Password managers can't fill it. Users give up. Fix: never disable paste on password fields.

4. No feedback while submit is in flight

Users click Register, nothing visibly happens, they click again — two accounts, or a duplicate-email error they don't understand. Fix: disable the button + show a spinner immediately.

5. Server errors surface as "Something went wrong"

Users have no idea if it's their fault (bad password) or yours (server on fire). Fix: map specific errors to specific messages.

6. Email verification link expires but no re-send

User signs up Friday night, opens the email Monday morning, link is dead, no way to get a new one without contacting support. Fix: always show a "Resend verification" option.

7. Password requirements shown only on failure

User types a 6-char password, submits, gets "must be 8+ chars", retypes, gets "must include a number". Fix: show requirements up front, mark them off as they're met.

8. No CAPTCHA / rate limit

Bots create 10,000 accounts before you notice. Fix: invisible CAPTCHA (Cloudflare Turnstile) or rate limit by IP.

9. First-time login redirects to a broken empty state

New user finishes signup, lands on a dashboard with "You have no items" and no clear next action. Fix: design the empty state as a first-time-user tutorial.

10. Logout doesn't clear localStorage / cookies

Next user on shared machine sees the previous user's cached data. Fix: wipe client-side auth state completely on logout.


Want me to check your signup flow? Book a $50 Bug Report Review or a $100 consult.

Need this done for you?

I test web, mobile, and desktop apps for startups. Fixed prices, fast turnaround.

See quick sessions