[tiffanyh]

On mobile, keyboards typically auto capitalize the first letter of the first word.

So if your password is "password", it will get entered in as "Password" - and the user will get confused why their username/password aren't logging them in.

So a UX pattern is to actually lowercase the first letter on the backend.

[lolinder]

Both OSes have different keyboard configs for different field types, and at least on Android it most definitely does not capitalize the first letter on a password field. Maybe some third party keyboards do? Even so, my gut says that mangling passwords on the backend is a really bad solution that may come back to bite you in ways you don't expect.

[CJefferson]

Facebook actually do try flipping the capitalisation of your password (in case you have caps-lock on), and the capitalisation of the first letter (to cover this exact case): https://security.stackexchange.com/questions/68013/facebook-...

While this technically slightly lowers security (they are trying 4 passwords built from the one you typed in), I don't think that's significant, and I imagine it greatly improves user experience.

[tgv]

I think browsers no longer do that when a field is labeled as a password. But there's always someone who still uses an Android 4 phone with Samsung Internet 0.37beta1.

[joshenders]

For those living 10 years in the past, a degraded experience is probably par for the course and a fair forcing function to move on.

You have draw the line somewhere and degrading the majority’s experience for the minority’s benefit is an unusual trade-off.

[joshenders]

As far as I can tell, this hasn’t been an issue for over 10 years—at least for Apple devices?

Whatever happened to, “Design for the expert user”?

[CJefferson]

I'm not sure why people should design for the expert user in cases like this?

I don't understand why this would cause an expert user trouble (it's the loss of a single bit of password security, which shouldn't matter if your password is even reasonably decent).