Do registration forms still need to confirm a user's password?

Passwords can always be reset. What I've learned is that it's better to have them confirm their email address. As long as that is right, they can get access to their account again.

It is system dependant, and there is no ONE rule to apply to all situations. The most common scenario is for signing up to a low-security free (or free trial) service. For this scenario the ideal a user sign-up proces should be the following: Registration form (including email & password only once) Confirmation message - "We have sent a confirmation email to: <entered email address>. Please check your email & click the link to confirm your account" User clicks link in email User is directed to the service, logged in automatically with a 'Email address confirmed" notification. Using this process the users email address is confirmed, and a password has been set. But a fair percentage of users forget which password they used when next logging into a system so often use the 'forgot password' feature on next logged out session anyway. For these reasons my preference is to just ask for email address & password only once. In the unlikely event a user entered their own email address incorrectly, as the service is free/free-trial a user can just fill in the form again using the correct email address. If they mistyped or forgot the password, they just use a well designed forgotten password process to reset it. This creates the miminmum amount of friction for the vast majority of cases, and allows easy fixes for those low percentage of cases where information was entered incorrectly or forgotten.

If you are asking for their email address too (better than asking them to invent a username), they can reset their password in case they mistype it the first time. Since the email field is visible, the chance of mistyping it is less (compared to a hidden password field).

No they don't. As long as you send an email with login details (including password details) after a the registration (and inform the user while you do that), it is perfectly fine with not requiring a password confirmation.

Personally, I agree with in that having the password confirmation enables the assurance that the user will enter the password they intended. I think it's come to be expected of forms. It's much more important to have a short, consice, and non-intimidating form to ensure the user follows thorough with registration.

You can either show them the password (use a normal text field) when they type it or you should confirm the hidden password to make sure it's what they intended to type.

If they type it in wrong it and then create an account without knowing what they typed it will make  it so they can't log in. Then you loose the customer. So it is up to you. I always say - "Better to confirm than to lock them out entirely."

In most cases No. Assuming your site provides a simple way to reset the password this extra step is unnecessary. This is where the answer drifts because it gets more complicated. What site isn't using a 3rd party IDP like Facebook or Twitter for login these days? Requiring a user to enter a site specific password when they have the option to 1-click login with FB or Twitter will only slowdown user adoption in most cases. In almost all cases it's definitely wise to provide an "old skool" account option for those who don't prefer to use those options but don't slow your users down by giving them a tedious login flow with fields they need to reproduce. I wouldn't expose the password field tho...people are paranoid and are definitely not used to that in a web browser. And, just to be doubly safe that ones email is valid (you get that for free from Facebook NOT Twitter) consider implementing Open ID check_id_immediate. That way you can skip the validate via email step ensuring reseting the password really will work (and that you have the correct email addie.) This is supported by Google and I believe Yahoo but does require the user have login and authd that way.

If a site as big as Facebook can get with only asking for password once, you can too.