Not a bug  Password when creating new acct

On the log in page I clicked Create New and entered my email address but the password box was unavailable. I changed the radio button back to existing account and the password box became available. So, I entered my password and then changed it to Create New and it accepted both the username and the password.

I was using FireFox 3.X


Active member
so you're saying the password should be cleared on submit when creating a new user account.

the rest of what you described I would expect as normal behavior.


Well-known member
When you say "login page" are you referring to the login area that appears at the top of the screen, or the actual registration page?
I didn't see a registration page.

I saw a login with username and password box. Between them were two radio buttons. One said Create New Acct (or similar) the other said "Existing Account" (or similar). It seemed obvious that I could put in a username and password and click "Create New Acct" to register. But when the "Create New Acct" radio button was checked I could enter a username but not a password.

By clicking "Existing Acct" I could fill in both a username AND a password -- and then click Create New Acct and when submitted that registered my new acct.

It seems, that "Create New Acct" should either take me to a dedicated registration screen, OR it should let me pick a username and a password to begin the registration process.

Maybe, it shouldn't have worked at all -- but it worked in a totally unexpected way.


Well-known member
The intended behavior is that you enter a username, check the "Create New Account" radio button, and then click Sign Up without entering a password. You'll then be taken to a new registration page:

It seems like you've found a hole whereby you can create a new account directly from the login form by doing some trickery with the radio buttons and password field. In other words, it should not have registered a new account for you. :)

I would actually classify this as a semi-serious security hole that needs to be fixed ASAP, as it allows anyone to register accounts without any email address entered, DOB, or any sort of anti-spam measures.


Well-known member
I don't think it would/could actually create an account directly from there...
I don't think it could either, but that's what it sounds like from the OP's description, although I could have misinterpreted. At the very least I would test it out. :)

EDIT: I can confirm, I just tested this (tried to create a new account), and it does not work as the OP described. It just brings me to the new registration page as expected. So, doesn't look like there's a bug at all. :)


XenForo developer
Staff member
I think he may have just been confused by the interface, thinking that the password had to be specified as well, while the password is actually depending on having an existing account.
I sure "think" I created an account there -- but probably all it did was take me to the Create account page and I thought it was a second part of the process.

Either way -- it wasn't 100% clear. It would be better to have a create account submit type button, rather than have it be part of the Login like that.