Engineering Research Spike: Account Creation form validation logic
Closed, ResolvedPublicSpike
Actions

Assigned To

Authored By

	KStoller-WMF
	Jan 9 2026, 10:58 PM

Description

Objective

Document the existing validation logic used in the Account Creation form, with a focus on username validation, password validation, and related error messages. This documentation will support Growth team design work by clarifying the constraints and behaviors that shape current form UI and UX.

Problem Statement

Without a consolidated view of this logic, it is challenging to design and iterate on form improvements that are technically feasible and consistent with current system behavior.

Scope

This spike focuses on documenting existing behavior to inform design and engineering alignment.
In scope:

Username validation rules, including format, length, character restrictions, and availability checks
Password validation rules, including strength requirements and disallowed patterns
Validation related error messages and the conditions under which they are triggered
Where validation is enforced, such as client side, server side, or API level

Goals:

Product, designers and engineers share a clear understanding of current validation behavior and constraints
Growth team design work can reference this documentation to avoid proposing infeasible or inconsistent UI changes

Acceptance Criteria:

A document (or comment in this task) describing current validation rules and enforcement points
An inventory of validation related error messages
If time allows, a summary of constraints and implications for future form UI and UX improvements

Time boxed engineering investigation:

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		matmarex	T405054 Improve SUL3 Special:UserLogin and Special:CreateAccount interactions when already logged in or partially logged in
Resolved	Feature	matmarex	T284927 Special:CreateAccount should warn against creating a new account if already logged in
Open		None	T409236 [EPIC] Account Creation Experiments (WE1.8 FY 25-26)
Resolved		AAlhazwani-WMF	T408649 Early design exploration for Account Creation: V1 designs
Resolved	Spike	Michael	T414235 Engineering Research Spike: Account Creation form validation logic

Event Timeline

KStoller-WMF created this task.Jan 9 2026, 10:58 PM

Restricted Application changed the subtype of this task from "Task" to "Spike". · View Herald TranscriptJan 9 2026, 10:58 PM

KStoller-WMF triaged this task as Medium priority.Jan 9 2026, 10:58 PM

KStoller-WMF moved this task from Inbox to Needs Estimation on the Growth-Team board.

Michael subscribed.Jan 19 2026, 11:44 AM

Michael claimed this task.Jan 21 2026, 1:40 PM

Michael edited projects, added Growth-Team (FY2025-26 Q3 Sprint 1); removed Growth-Team.

Restricted Application added a project: User-Michael. · View Herald TranscriptJan 21 2026, 1:40 PM

A first overview is below. I think I remember that AbuseFilter is also checking the usernames, but I have to look more into that.

Username

If username is already in use (🛑 error):

Username entered already in use. Please choose a different name.

If starting with a lowercase letter (⚠️ warning):

Your username will be adjusted to "<username with first letter uppercase>" due to technical restrictions.

If the username is too long (and probably some other reasons) (🛑 error):

You have not specified a valid username.

Password

If password is too short (🛑 error)::

Passwords must be at least 8 characters.

If password is too long (🛑 error):

Passwords cannot be longer than 4096 characters.

If password is the username (🛑 error):

Your password must not appear within your username.

If password is too common (🛑 error):

The password entered is in a list of very commonly used passwords. Please choose a more unique password.

Confirm password

If the passwords do not match (🛑 error):

The passwords you entered do not match.

Email

If the email is not valid (🛑 error):

The email address cannot be accepted as it appears to have an invalid format.
Please enter a well-formatted address or empty that field.

If email is too long (🛑 error):

Your email address should have at most 255 characters.

As soon as the email field receives focus and when something is entered (⚠️ warning):

Please look for an email from us to verify your address.

Michael moved this task from Incoming to Doing on the Growth-Team (FY2025-26 Q3 Sprint 1) board.Jan 26 2026, 11:10 AM

Michael edited projects, added Growth-Team (FY2025-26 Q3 Sprint 2); removed Growth-Team (FY2025-26 Q3 Sprint 1).Jan 27 2026, 5:48 PM

Michael moved this task from Incoming to Doing on the Growth-Team (FY2025-26 Q3 Sprint 2) board.

KStoller-WMF updated the task description. (Show Details)Jan 27 2026, 6:27 PM

@Michael found another one!

simulator_screenshot_5A97430D-AB34-401D-9514-A5578A993A7E.png (2×1 px, 538 KB)

curious about the rational here.. why not simply say that is not available?

simulator_screenshot_8DA13634-C6C4-4A76-8F75-372A91A44C2B.png (2×1 px, 510 KB)

Michael edited projects, added Growth-Team (FY2025-26 Q3 Sprint 3); removed Growth-Team (FY2025-26 Q3 Sprint 2).Feb 10 2026, 6:01 PM

Michael moved this task from Incoming to Doing on the Growth-Team (FY2025-26 Q3 Sprint 3) board.

In T414235#11582630, @AAlhazwani-WMF wrote:

curious about the rational here.. why not simply say that is not available?

Interesting, I was not aware of this one. I guess this is to prevent the user from frustratingly try too many similar usernames because they do not know why it is not available.

Also, I finally have a screenshot from the error that comes from AbuseFilter:

That is the last of the errors that I'm aware of. I'm moving this to review, maybe others know about more warnings and errors on Special:CreateAccount for logged t users.

In T414235#11606581, @Michael wrote:

Also, I finally have a screenshot from the error that comes from AbuseFilter:

That is from TitleBlacklist, not AbuseFilter,

In T414235#11607927, @JJMC89 wrote:

In T414235#11606581, @Michael wrote:

Also, I finally have a screenshot from the error that comes from AbuseFilter:

That is from TitleBlacklist, not AbuseFilter,

Yes, you're right. I stand corrected. I tend to conflate those two.

Michael closed this task as Resolved.Feb 24 2026, 5:36 PM

AAlhazwani-WMF mentioned this in T419401: Add live username validation to mobile account creation form.Mar 9 2026, 10:58 AM

Also there are several other messages that occured in , arguably, edge cases of Account creation:
(1) when a logged user creates a new account via Special:CreateAccount page

Screenshot 2026-04-02 at 10.54.45 AM.png (1×682 px, 167 KB)

(2) when a logged user creates a new account via Special:CreateLocalAccount page

Screenshot 2026-04-10 at 5.04.30 PM.png (1×2 px, 171 KB)

(3) with some light url manipulation from Special:CreateAccount, it's possible to get to the following pages:

Screenshot 2026-04-01 at 11.43.55 AM.png (1×762 px, 123 KB)

Screenshot 2026-04-01 at 6.56.27 PM.png (1×852 px, 144 KB)

(4) https://en.wikipedia.org/wiki/Wikipedia:Username_policy - "You have not specified a valid user name." message is displayed.

Screenshot 2026-04-10 at 5.15.40 PM.png (914×982 px, 109 KB)

	F75531125: Screenshot 2026-04-10 at 5.15.40 PM.png
	Fri, Apr 10, 9:23 PM

	F75530331: Screenshot 2026-04-01 at 6.56.27 PM.png
	Fri, Apr 10, 9:23 PM

	F75530292: Screenshot 2026-04-01 at 11.43.55 AM.png
	Fri, Apr 10, 9:23 PM

	F75530153: Screenshot 2026-04-10 at 5.04.30 PM.png
	Fri, Apr 10, 9:23 PM

	F75530033: Screenshot 2026-04-02 at 10.54.45 AM.png
	Fri, Apr 10, 9:23 PM

	F71669805: simulator_screenshot_8DA13634-C6C4-4A76-8F75-372A91A44C2B.png
	Feb 4 2026, 11:10 AM

	F71668933: simulator_screenshot_5A97430D-AB34-401D-9514-A5578A993A7E.png
	Feb 4 2026, 9:59 AM

	F71813671: image.png
	Feb 11 2026, 11:09 AM

Engineering Research Spike: Account Creation form validation logicClosed, ResolvedPublicSpikeActions