I fully agree that javascript hack is stupid. I use a password manager myself and that would be a real pain.

But a confirmation field for a password is a good thing. The field is going to be masked by the browser so it's impossible for people to tell if they've made a typo, making the same typo twice in a row is theoretically unlikely. The rest of the fields are (probably) being displayed in plain text so the submitter can check those over himself.

Also, while doing some tracking to see if this all actually does any good is an excellent idea (and your method for doing so looks right), you might want to take care with the email addresses too--unless your logs have the same access controls as your database (which they well might). You could conceivably scrape a log for email addresses if you had access to it, though I don't know if anyone does that.

For email confirmation, the better idea seems to be an interstitial step, after submitting the form, in which the email address is displayed back to the user in large type and they are asked to confirm whether this email address is correct. If not, they get to enter it again. If the email is collected early on in the form and other fields follow, this is a good way to get the user to read their own input with fresh eyes.

For passwords, see Bruce Schneier on The Pros and Cons of Password Masking. On most forms there should simply be a checkbox that unmasks the password when checked. The user can enter their password unmasked or use the checkbox for confirmation.

Either way there is a better solution than making the user type things twice.

—Aristotle Pagaltzis

I doubt that an interstitial step will do much good. People are very good at just hitting the 'go on' button, and they're going to expect the email address that they just entered to be correct so they're unlikely to read it carefully.

Will the result be worse than making them paste it a second time?

—Aristotle Pagaltzis

I don't think the results will be worse than having them paste it a second time, but I also don't think the results will be more than a tiny bit better than skipping the interstitial entirely.

A better approach is to figure out how to let people recover later from making such mistakes. This is hard (and somewhat application specific), so I don't have any good answers.

Yes, some web forms use such anti-confirmation fields (where Javascript code tries to get you really type in something the second time).

But what always works for me to avoid double entering information into such form fields (under X11): Open your favourite text-editor side by side, type in the needed value, mark it and middle-click-paste it into each of the two anti-confirmation web-form fields!

The Javascript code does not seem to be able to distinguish such middle-click-paste from typing it in.

Of course, a web form that asks for email/password should be better designed. What should work better (i.e. would be less annoying and more effective) is a registration process, where you have to enter the email address on the first form page, the page sends a confirmation email in the background while it displays the next form page which you can fill out. At the end it just asks for the confirmation link and gives you a possibility to fix your email in case it was mistyped. Once it is confirmed that the email address is correct the site can handle a mis-typed password like any forgotten one.