You are on page 1of 35

1/26/2015

The God Login

1/26/2015 The God Login <a href=CODING HORROR p rogramm i ng an d h uman f actors RESOURCES About Me @codinghorror discourse.org stackexchange.com Recommended Reading Subscribe in a reader Subscribe via email Coding Horror has been continuously published since 2004 09 Jan 2015 The God Login I graduated with a Computer Science minor from the University of Virginia in 1992. The reason it's a minor and not a major is because to major in CS at UVa you had to go through the Engineering School, and I was absolutely not cut out for that kind of hardcore math and physics, to put it mildly. The beauty of a minor was that I could cherry pick all the cool CS classes and skip everything else. Traffic Stats One of my favorite classes, the one I remember the most, was Algorithms. I always told people my Algorithms class was the one part of my college Copyright Jeff Atwood © 2015 education that influenced me most as a programmer. Logo image © 1993 Steven I wasn't sure exactly why, but a few years ago I had a C. McConnell Proudly published with Ghost hunch so I looked up a certain CV and realized that Randy Pausch – yes, the Last Lecture Randy Pausch – taught that class. The timing is perfect: University of Virginia, Fall 1991, CS461 Analysis of Algorithms, 50 students. I was one of them. http://blog.codinghorror.com/the­god­login/ 1/35 " id="pdf-obj-0-7" src="pdf-obj-0-7.jpg">
1/26/2015 The God Login <a href=CODING HORROR p rogramm i ng an d h uman f actors RESOURCES About Me @codinghorror discourse.org stackexchange.com Recommended Reading Subscribe in a reader Subscribe via email Coding Horror has been continuously published since 2004 09 Jan 2015 The God Login I graduated with a Computer Science minor from the University of Virginia in 1992. The reason it's a minor and not a major is because to major in CS at UVa you had to go through the Engineering School, and I was absolutely not cut out for that kind of hardcore math and physics, to put it mildly. The beauty of a minor was that I could cherry pick all the cool CS classes and skip everything else. Traffic Stats One of my favorite classes, the one I remember the most, was Algorithms. I always told people my Algorithms class was the one part of my college Copyright Jeff Atwood © 2015 education that influenced me most as a programmer. Logo image © 1993 Steven I wasn't sure exactly why, but a few years ago I had a C. McConnell Proudly published with Ghost hunch so I looked up a certain CV and realized that Randy Pausch – yes, the Last Lecture Randy Pausch – taught that class. The timing is perfect: University of Virginia, Fall 1991, CS461 Analysis of Algorithms, 50 students. I was one of them. http://blog.codinghorror.com/the­god­login/ 1/35 " id="pdf-obj-0-14" src="pdf-obj-0-14.jpg">

programming and human factors

1/26/2015 The God Login <a href=CODING HORROR p rogramm i ng an d h uman f actors RESOURCES About Me @codinghorror discourse.org stackexchange.com Recommended Reading Subscribe in a reader Subscribe via email Coding Horror has been continuously published since 2004 09 Jan 2015 The God Login I graduated with a Computer Science minor from the University of Virginia in 1992. The reason it's a minor and not a major is because to major in CS at UVa you had to go through the Engineering School, and I was absolutely not cut out for that kind of hardcore math and physics, to put it mildly. The beauty of a minor was that I could cherry pick all the cool CS classes and skip everything else. Traffic Stats One of my favorite classes, the one I remember the most, was Algorithms. I always told people my Algorithms class was the one part of my college Copyright Jeff Atwood © 2015 education that influenced me most as a programmer. Logo image © 1993 Steven I wasn't sure exactly why, but a few years ago I had a C. McConnell Proudly published with Ghost hunch so I looked up a certain CV and realized that Randy Pausch – yes, the Last Lecture Randy Pausch – taught that class. The timing is perfect: University of Virginia, Fall 1991, CS461 Analysis of Algorithms, 50 students. I was one of them. http://blog.codinghorror.com/the­god­login/ 1/35 " id="pdf-obj-0-25" src="pdf-obj-0-25.jpg">

RESOURCES

Coding Horror has been continuously published since 2004

09 Jan 2015

The God Login

  • I graduated with a Computer Science minor from the

University of Virginia in 1992. The reason it's a minor and not a major is because to major in CS at UVa you had to go through the Engineering School, and I was absolutely not cut out for that kind of hardcore math

and physics, to put it mildly. The beauty of a minor was that I could cherry pick all the cool CS classes and skip everything else.

1/26/2015 The God Login <a href=CODING HORROR p rogramm i ng an d h uman f actors RESOURCES About Me @codinghorror discourse.org stackexchange.com Recommended Reading Subscribe in a reader Subscribe via email Coding Horror has been continuously published since 2004 09 Jan 2015 The God Login I graduated with a Computer Science minor from the University of Virginia in 1992. The reason it's a minor and not a major is because to major in CS at UVa you had to go through the Engineering School, and I was absolutely not cut out for that kind of hardcore math and physics, to put it mildly. The beauty of a minor was that I could cherry pick all the cool CS classes and skip everything else. Traffic Stats One of my favorite classes, the one I remember the most, was Algorithms. I always told people my Algorithms class was the one part of my college Copyright Jeff Atwood © 2015 education that influenced me most as a programmer. Logo image © 1993 Steven I wasn't sure exactly why, but a few years ago I had a C. McConnell Proudly published with Ghost hunch so I looked up a certain CV and realized that Randy Pausch – yes, the Last Lecture Randy Pausch – taught that class. The timing is perfect: University of Virginia, Fall 1991, CS461 Analysis of Algorithms, 50 students. I was one of them. http://blog.codinghorror.com/the­god­login/ 1/35 " id="pdf-obj-0-58" src="pdf-obj-0-58.jpg">

One of my favorite classes, the one I remember the most, was Algorithms. I always told people my Algorithms class was the one part of my college

Copyright Jeff Atwood ©

  • 2015 education that influenced me most as a programmer.

Logo image © 1993 Steven

  • I wasn't sure exactly why, but a few years ago I had a

C. McConnell Proudly published with Ghost

hunch so I looked up a certain CV and realized that

Randy Pausch – yes, the Last Lecture Randy Pausch – taught that class. The timing is perfect: University of Virginia, Fall 1991, CS461 Analysis of Algorithms, 50 students.

  • I was one of them.

1/26/2015 The God Login <a href=CODING HORROR p rogramm i ng an d h uman f actors RESOURCES About Me @codinghorror discourse.org stackexchange.com Recommended Reading Subscribe in a reader Subscribe via email Coding Horror has been continuously published since 2004 09 Jan 2015 The God Login I graduated with a Computer Science minor from the University of Virginia in 1992. The reason it's a minor and not a major is because to major in CS at UVa you had to go through the Engineering School, and I was absolutely not cut out for that kind of hardcore math and physics, to put it mildly. The beauty of a minor was that I could cherry pick all the cool CS classes and skip everything else. Traffic Stats One of my favorite classes, the one I remember the most, was Algorithms. I always told people my Algorithms class was the one part of my college Copyright Jeff Atwood © 2015 education that influenced me most as a programmer. Logo image © 1993 Steven I wasn't sure exactly why, but a few years ago I had a C. McConnell Proudly published with Ghost hunch so I looked up a certain CV and realized that Randy Pausch – yes, the Last Lecture Randy Pausch – taught that class. The timing is perfect: University of Virginia, Fall 1991, CS461 Analysis of Algorithms, 50 students. I was one of them. http://blog.codinghorror.com/the­god­login/ 1/35 " id="pdf-obj-0-91" src="pdf-obj-0-91.jpg">

1/26/2015

The God Login

1/26/2015 The God Login No wonder I was so impressed. Pausch was an incredible, charismatic teacher,due to the tradeoffs chosen, and choose the correct algorithms for what we're doing. That's essential. And one of the coolest things Mr. Pausch ever taught me was to ask this question: What's the God algorithm for this? Well, when sorting a list, obviously God wouldn't bother with a stupid Bubble Sort or Quick Sort or Shell Sort like us mere mortals, God would just immediately place the items in the correct order. Bam. One step. The ultimate lower bound on computation , O(1). Not just fixed time, either, but literally one instantaneous step, because you're freakin' God . http://blog.codinghorror.com/the­god­login/ 2/35 " id="pdf-obj-1-8" src="pdf-obj-1-8.jpg">

No wonder I was so impressed. Pausch was an incredible, charismatic teacher, a testament to the old adage that your should choose your teacher first and the class material second, if you bother to at all. It's so true.

In this case, the combination of great teacher and great topic was extra potent, as algorithms are central to what programmers do. Not that we invent new algorithms, but we need to understand the code that's out there, grok why it tends to be fast or slow due to the tradeoffs chosen, and choose the correct algorithms for what we're doing. That's essential.

And one of the coolest things Mr. Pausch ever taught me was to ask this question:

What's the God algorithm for this?

Well, when sorting a list, obviously God wouldn't bother with a stupid Bubble Sort or Quick Sort or Shell Sort like us mere mortals, God would just immediately place the items in the correct order. Bam. One step. The ultimate lower bound on computation, O(1). Not just fixed time, either, but literally one instantaneous step, because you're freakin' God.

1/26/2015

The God Login

1/26/2015 The God Login This kind of blew my mind at the time. I always suspectedthey got to play God with the little universe boxes on their desks. Randy Pausch took that conceit and turned it into a really useful way of setting boundaries and asking yourself hard questions about what you're doing and why. So when we set out to build a login dialog for Discourse , I went back to what I learned in my Algorithms class and asked myself: How would God build this login dialog? And the answer is, of course, God wouldn't bother to build a login dialog at all. Every user would already be logged into GodApp the second they loaded the page because God knows who they are. Authoritatively, even. This is obviously impossible for us, because God isn't one of our investors. http://blog.codinghorror.com/the­god­login/ 3/35 " id="pdf-obj-2-7" src="pdf-obj-2-7.jpg">

This kind of blew my mind at the time.

I always suspected that programmers became programmers because they got to play God with the little universe boxes on their desks. Randy Pausch took that conceit and turned it into a really useful way of setting boundaries and asking yourself hard questions about what you're doing and why.

So when we set out to build a login dialog for Discourse, I went back to what I learned in my Algorithms class and asked myself:

How would God build this login dialog?

And the answer is, of course, God wouldn't bother to build a login dialog at all. Every user would already be logged into GodApp the second they loaded the page because God knows who they are. Authoritatively, even.

This is obviously impossible for us, because God isn't one of our investors.

1/26/2015

The God Login

But..

how close can we get to the perfect godlike login

experience in Discourse? That's a noble and worthy goal.

1/26/2015 The God Login But.. how close can we get to the perfect godlike login experienceonce asked why the hell every programmer was writing the same File Open dialogs over and over? It sure feels that way for login dialogs. I've been saying for a long time that the best login is no login at all and I'm a staunch supporter of logging in with your Internet Driver's license whenever possible. So we absolutely support that, if you've configured it. But today I want to focus on the core, basic login experience: user and password. That's the default until you configure up the other methods of login. A login form with two fields, two buttons, and a link on it seems simple, right? Bog standard. It is, until you consider all the ways the simple act of logging in with those two fields can go wrong for the user. Let's think. http://blog.codinghorror.com/the­god­login/ 4/35 " id="pdf-obj-3-15" src="pdf-obj-3-15.jpg">

Wasn't it Bill Gates who once asked why the hell every programmer was writing the same File Open dialogs over and over? It sure feels that way for login

whenever possible. So we absolutely support that, if you've configured it.

1/26/2015 The God Login But.. how close can we get to the perfect godlike login experienceonce asked why the hell every programmer was writing the same File Open dialogs over and over? It sure feels that way for login dialogs. I've been saying for a long time that the best login is no login at all and I'm a staunch supporter of logging in with your Internet Driver's license whenever possible. So we absolutely support that, if you've configured it. But today I want to focus on the core, basic login experience: user and password. That's the default until you configure up the other methods of login. A login form with two fields, two buttons, and a link on it seems simple, right? Bog standard. It is, until you consider all the ways the simple act of logging in with those two fields can go wrong for the user. Let's think. http://blog.codinghorror.com/the­god­login/ 4/35 " id="pdf-obj-3-28" src="pdf-obj-3-28.jpg">

But today I want to focus on the core, basic login experience: user and password. That's the default until you configure up the other methods of login.

A login form with two fields, two buttons, and a link on it seems simple, right? Bog standard. It is, until you consider all the ways the simple act of logging in with those two fields can go wrong for the user. Let's think.

1/26/2015

The God Login

Let the user enter an email to log in

The critical fault of OpenID, as much as I liked it as an early login solution, was its assumption that users could accept an URL as their "identity". This is flat out crazy, and in the long run this central flawed assumption in OpenID broke it as a future standard.

User identity is always email, plain and simple. What happens when you forget your password? You get an email, right? Thus, email is your identity. Some people even propose using email as the only login method.

1/26/2015 The God Login Let the user enter an email to log in The critical faultI liked it as an early login solution, was its assumption that users could accept an URL as their "identity". This is flat out crazy, and in the long run this central flawed assumption in OpenID broke it as a future standard. User identity is always email, plain and simple . What happens when you forget your password? You get an email, right? Thus, email is your identity. Some people even propose using email as the only login method . It's fine to have a username, of course, but always let users log in with either their username or their email address. Because I can tell you with 100% certainty that when those users forget their password, and they will, all the time, they'll need that email anyway to get a password reset. Email and password are strongly related concepts and they belong together. Always! (And a fie upon services that don't allow me to use my email as a username or login. I'm looking at you, Comixology.) Tell the user when their http://blog.codinghorror.com/the­god­login/ 5/35 " id="pdf-obj-4-19" src="pdf-obj-4-19.jpg">

It's fine to have a username, of course, but always let users log in with either their username or their email address. Because I can tell you with 100% certainty that when those users forget their password, and they will, all the time, they'll need that email anyway to get a password reset. Email and password are strongly related concepts and they belong together. Always!

(And a fie upon services that don't allow me to use my email as a username or login. I'm looking at you, Comixology.)

Tell the user when their

1/26/2015

The God Login

email doesn't exist

OK, so we know that email is de-facto identity for most people, and this is a logical and necessary state of affairs. But which of my 10 email addresses did I use to log into your site?

This was the source of a long discussion at Discourse about whether it made sense to reveal to the user, when they enter an email address in the "forgot password" form, whether we have that email address on file. On many websites, here's the sort of message you'll see after entering an email address in the forgot password form:

If an account matches name@example.com, you should receive an email with instructions on how to reset your password shortly.

We're deadly serious about picking safe defaults for Discourse, so out of the box you won't get exploited or abused or overrun with spammers. But after experiencing the real world "which email did we use here again?" login state on dozens of Discourse instances ourselves, we realized that, in this specific case, being user friendly is way more important than being secure.

1/26/2015

The God Login

1/26/2015 The God Login The new default is to let people know when they've entered an

The new default is to let people know when they've entered an email we don't recognize in the forgot password form. This will save their sanity, and yours. You can turn on the extra security of being coy about this, if you need it, via a site setting.

Let the user switch between Log In and Sign Up any time

Many websites have started to show login and signup buttons side by side. This perplexed me; aren't the acts of logging in and signing up very different things?

Well, from the user's perspective, they don't appear to be. This Verge login dialog illustrates just how close the sign up and log in forms really are. Check out this animated GIF of it in action.

1/26/2015

The God Login

1/26/2015 The God Login We've acknowledged that similarity by having either form accessible at any time

We've acknowledged that similarity by having either form accessible at any time from the two buttons at the bottom of the form, as a toggle:

1/26/2015 The God Login We've acknowledged that similarity by having either form accessible at any time

And both can be kicked off directly from any page via the Sign Up and Log In buttons at the top right:

1/26/2015

The God Login

1/26/2015 The God Login Pick common words That's the problem with language, we have so manyWhich are the "right" ones? User research data isn't conclusive . I tend to favor the shorter versions when possible, mostly because I'm a fan of the whole brevity thing, but there are valid cases to be made for each depending on the circumstances and user preferences. http://blog.codinghorror.com/the­god­login/ 9/35 " id="pdf-obj-8-7" src="pdf-obj-8-7.jpg">

Pick common words

That's the problem with language, we have so many words for these concepts:

  • Sign In

  • Log In

  • Sign Up

  • Register

  • Join <site>

  • Create Account

  • Get Started

  • Subscribe

I tend to favor the shorter versions when possible, mostly because I'm a fan of the whole brevity thing, but there are valid cases to be made for each depending on the circumstances and user preferences.

1/26/2015 The God Login Pick common words That's the problem with language, we have so manyWhich are the "right" ones? User research data isn't conclusive . I tend to favor the shorter versions when possible, mostly because I'm a fan of the whole brevity thing, but there are valid cases to be made for each depending on the circumstances and user preferences. http://blog.codinghorror.com/the­god­login/ 9/35 " id="pdf-obj-8-47" src="pdf-obj-8-47.jpg">

1/26/2015

The God Login

Sign In may be slightly more common, though Log In has some nautical and historical computing basis that makes it worthy:

A couple of years ago I did a survey of top websites in the US and UK and whether they used “sign in”, “log in”, “login”, “log on”, or some other variant. The answer at the time seemed to be that if you combined “log in” and “login”, it exceeded “sign in”, but not by much. I’ve also noticed that the trend toward “sign in” is increasing, especially with the most popular services. Facebook seems to be a “log in” hold- out.

1/26/2015 The God Login Sign In may be slightly more common, though Log In has somenautical and historical computing basis that makes it worthy: A couple of years ago I did a survey of top websites in the US and UK and whether they used “sign in”, “log in”, “login”, “log on”, or some other variant. The answer at the time seemed to be that if you combined “log in” and “login”, it exceeded “sign in”, but not by much. I’ve also noticed that the trend toward “sign in” is increasing, especially with the most popular services. Facebook seems to be a “log in” hold- out. Work with browser password managers Every login dialog you create should be tested to work with the default password managers in … Internet Explorer Chrome Firefox Safari http://blog.codinghorror.com/the­god­login/ 10/35 " id="pdf-obj-9-13" src="pdf-obj-9-13.jpg">

Work with browser password managers

Every login dialog you create should be tested to work with the default password managers in

1/26/2015

The God Login

At an absolute minimum. Upon subsequent logins in that browser, you should see the username and password automatically autofilled.

1/26/2015 The God Login At an absolute minimum. Upon subsequent logins in that browser, you shouldLastPass and so forth, but I generally assume if the login dialog works with the built in browser password managers, it will work with third party utilities, too. Handle common user mistakes Oops, the user is typing their password with caps lock on? You should let them know about that. http://blog.codinghorror.com/the­god­login/ 11/35 " id="pdf-obj-10-9" src="pdf-obj-10-9.jpg">

Users rely on these default password managers built into the browsers they use, and any proper modern login form should respect that, and be designed sensibly, e.g. the password field should have type="password" in the HTML and a name that's readily identifable as a password entry field.

There's also LastPass and so forth, but I generally assume if the login dialog works with the built in browser password managers, it will work with third party utilities, too.

Handle common user mistakes

Oops, the user is typing their password with caps lock on? You should let them know about that.

1/26/2015

The God Login

1/26/2015 The God Login Oops, the user entered their email as name@gmal.com instead of name@gmail.com? Or(I'm also a big fan of native browser "reveal password" support for the password field, s o the user can verify that she typed in or autofilled the password she expects. Only Internet Explorer and I think Safari offer this, but all browsers should.) Help users choose better passwords There are many schools of thought on forcing helping users choose passwords that aren't unspeakably awful, e.g. password123 and iloveyou and so on . There's the common password strength meter, which updates in real time as you type in the password field. http://blog.codinghorror.com/the­god­login/ 12/35 " id="pdf-obj-11-7" src="pdf-obj-11-7.jpg">

Oops, the user entered their email as name@gmal.com instead of name@gmail.com? Or name@hotmail.cm instead of name@hotmail.com? You should either fix typos in common email domains for them, or let them know about that.

(I'm also a big fan of native browser "reveal password" support for the password field, so the user can verify that she typed in or autofilled the password she expects. Only Internet Explorer and I think Safari offer this, but all browsers should.)

Help users choose better passwords

There are many schools of thought on forcing helping users choose passwords that aren't unspeakably awful, e.g. password123 and iloveyou and so on.

There's the common password strength meter, which updates in real time as you type in the password field.

1/26/2015

The God Login

1/26/2015 The God Login It's clever idea, but it gets awful preachy for my tastes onto make sure it is not one of the 10,000 most common known passwords by checking its ha sh. http://blog.codinghorror.com/the­god­login/ 13/35 " id="pdf-obj-12-7" src="pdf-obj-12-7.jpg">

It's clever idea, but it gets awful preachy for my tastes on some sites. The implementation also leaves a lot to be desired, as it's left up to the whims of the site owner to decide what password strength means. One site's "good" is another site's "get outta here with that Fisher-Price toy password". It's frustrating.

So, with Discourse, rather than all that, I decided we'd default on a solid absolute minimum password length of 8 characters, and then verify the password to make sure it is not one of the 10,000 most common known passwords by checking its hash.

1/26/2015

The God Login

1/26/2015 The God Login Don't forget the keyboard I feel like keyboard users are a dyingYou should be rate limiting everything users can do, everywhere , and that's especially true of the login dialog. If someone forgets their password and makes 3 attempts to log in, or issues 3 forgot password requests, that's probably OK. But if someone makes a thousand attempts to log in, or issues a thousand http://blog.codinghorror.com/the­god­login/ 14/35 " id="pdf-obj-13-7" src="pdf-obj-13-7.jpg">

Don't forget the keyboard

I feel like keyboard users are a dying breed at this point, but for those of us that, when presented with a login dialog, like to rapidly type

1/26/2015 The God Login Don't forget the keyboard I feel like keyboard users are a dyingYou should be rate limiting everything users can do, everywhere , and that's especially true of the login dialog. If someone forgets their password and makes 3 attempts to log in, or issues 3 forgot password requests, that's probably OK. But if someone makes a thousand attempts to log in, or issues a thousand http://blog.codinghorror.com/the­god­login/ 14/35 " id="pdf-obj-13-13" src="pdf-obj-13-13.jpg">
1/26/2015 The God Login Don't forget the keyboard I feel like keyboard users are a dyingYou should be rate limiting everything users can do, everywhere , and that's especially true of the login dialog. If someone forgets their password and makes 3 attempts to log in, or issues 3 forgot password requests, that's probably OK. But if someone makes a thousand attempts to log in, or issues a thousand http://blog.codinghorror.com/the­god­login/ 14/35 " id="pdf-obj-13-15" src="pdf-obj-13-15.jpg">

name@example.com , tab , p4$$w0rd , enter

please verify that this works as it should. Tab order, enter to submit, etcetera.

Rate limit all the things

If someone forgets their password and makes 3 attempts to log in, or issues 3 forgot password requests, that's probably OK. But if someone makes a thousand attempts to log in, or issues a thousand

1/26/2015

The God Login

forgot password requests, that's a little weird. Why, I might even venture to guess they're possibly not human.

1/26/2015 The God Login forgot password requests, that's a little weird. Why, I might even venturehave been more thorough. Remember, Discourse is 100% open source and by definition a work in progress – so as my friend Miguel de Icaza likes to say, when it breaks, you get to keep both halves. Feel free to test out our implementation and give us your feedback in the comments, or point to other examples of great login experiences, or cite other helpful advice. Logging in involves a simple form with two fields, a link, and two buttons. And yet, after reading all this, http://blog.codinghorror.com/the­god­login/ 15/35 " id="pdf-obj-14-12" src="pdf-obj-14-12.jpg">

You can do fancy stuff like temporarily disable accounts or start showing a CAPTCHA if there are too many failed login attempts, but this can easily become a griefing vector, so be careful.

  • I think a nice middle ground is to insert standard pauses of moderately increasing size after repeated

sequential failures or repeated sequential forgot password requests from the same IP address. So that's what we do.

Stu I forgot

  • I tried to remember everything we went through

when we were building our ideal login dialog for Discourse, but I'm sure I forgot something, or could have been more thorough. Remember, Discourse is 100% open source and by definition a work in progress – so as my friend Miguel de Icaza likes to say, when it breaks, you get to keep both halves. Feel free to test out our implementation and give us your feedback in the comments, or point to other examples of great login experiences, or cite other helpful advice.

Logging in involves a simple form with two fields, a link, and two buttons. And yet, after reading all this,

1/26/2015

The God Login

I'm sure you'll agree that it's deceptively complex. Your best course of action is not to build a login dialog at all, but instead rely on authentication from an outside source whenever you can.

Like, say, God.

Written by Je Atwood

Indoor enthusiast. Co-founder of Stack Exchange and Discourse. Disclaimer: I have no idea what I'm talking about. Find me here: http://twitter.com/codinghorror

Continue Discussion 79 replies

9

Jan

9 Jan Mad ​ Overlord One subtle the Sign In and New Account buttons should have
 

MadOverlord

 

One subtle

the Sign In and New Account buttons

should have some space between them, to reduce the chance of

a misclick. And the "expected" action should be the one directly below the name/password fields.

9

Jan

9 Jan Mad ​ Overlord One subtle the Sign In and New Account buttons should have
 

kram1032

I find it kind of weird that the "Login" button looks different in different places:

Once, it's an open lock, and once a person. Is there any particular reason for that?

9

Jan

9 Jan Mad ​ Overlord One subtle the Sign In and New Account buttons should have
 

1/26/2015

The God Login

kersti

All very good points, and it leads to a discussion about passwords in general. Pet hate of mine is websites that don't allow anything other than alphanumeric characters, to my mind the site itself is not secure when they won't let me use ! in the middle of my password string.

Have recently had to give up an account because the site decided that a few failed login attempts (thanks to a 2 year old) was a security risk, so they changed my password for me (gee thanks). They won't show me all of the email address although from what they did show me I could figure out which one it was ­ and their forgot password email never arrives (apparently a common problem with this very large site). Naturally of course there is no way to contact anyone there either.

And in a site I run I often get people trying to be reunited with accounts where they have no matching information, yet they claim that they are the owner but they used false info for privacy reasons ­ if all I've got to go on is an email address, first name and birthdate and you've changed those then I'm not giving you this old account! I'm setting up a page of security questions to hopefully tackle that in the future.

  • 9 Jan

1/26/2015 The God Login kersti All very good points, and it leads to a discussion about

marioawad

I you don't respect the {USERNAME}{TAB}{PASSWORD} {ENTER} sequence on your login form, me and my friend KeePass will be constantly looking for another alternative website. That and also making sure the title of your login page includes your website's name and not only a generic "Log In" title.

  • 1 reply

  • 9 Jan

1/26/2015 The God Login kersti All very good points, and it leads to a discussion about

pnuk

  • codinghorror:

Thus, email is your identity.

Unless it's your mobile phone number: Chinese Mobile App UI Trends

  • 1 reply

1/26/2015

The God Login

9

Jan marioawad

9 Jan ▶ marioawad Pommes Maybe these plugins can help you with the "log in" titles:
 

Pommes

Maybe these plugins can help you with the "log in" titles:

http://keepass.info/plugins.html#urlintitle

These plugins show the URL of the website in the titlebar.

1

reply

9

Jan

9 Jan ▶ marioawad Pommes Maybe these plugins can help you with the "log in" titles:
 

Papuass_

A bit offtopic, but this has to be cutest login form from all. Try entering password:

https://dash.readme.io/login

1

reply

9

Jan Pommes

9 Jan ▶ marioawad Pommes Maybe these plugins can help you with the "log in" titles:

marioawad

This is awesome. Thank you. I'll keep those in mind for the future as currently I have no websites with this problem as I just leave them behind hehe. And I have more than 400 entries

in KeePass

in KeePass

9

Jan

9 Jan ▶ marioawad Pommes Maybe these plugins can help you with the "log in" titles:
 

DenisSokolov

Consider not giving the user a big and scar warning about caps lock, but instead check his password against a case­inverted version of itself.

2

replies

9

Jan

9 Jan ▶ marioawad Pommes Maybe these plugins can help you with the "log in" titles:
 

1/26/2015

The God Login

stefan19

Have you thought about supporting SQRL in the future? Login without username, password or email. Very close to the way god would have designed it.

1

reply

9

Jan DenisSokolov

1 reply 9 Jan ▶ DenisSokolov erikheemskerk Seems like a bad idea; a lot of people

erikheemskerk

Seems like a bad idea; a lot of people use Caps Lock as an 'easier way' to type lots of characters in capitals. And they may not use it consistently. When they didn't use it when signing up or changing their password but they are using it now, you will get a mismatch and you'll be punishing them for not being consistent. That would be bad form.

1

reply

9

Jan

1 reply 9 Jan ▶ DenisSokolov erikheemskerk Seems like a bad idea; a lot of people

jaginsberg

A lot of users end up being behind the same proxy exit servers, and thus having the same small pool of IP addresses ­ back in the day, AOL was the biggest offender here. Be careful that rate­limiting bad logins by incoming IP address doesn't make life hell or at least very confusing for these users. Perhaps make it based on the combination of email address ­PLUS­ IP address.

9

Jan

1 reply 9 Jan ▶ DenisSokolov erikheemskerk Seems like a bad idea; a lot of people

jgustie

Another one that drives me nuts is the auto­caps of the first letter in a text input applied by Mobile Safari: giving the browser an indication that the field is an email or username is a must.

1

reply

9

Jan

1 reply 9 Jan ▶ DenisSokolov erikheemskerk Seems like a bad idea; a lot of people

1/26/2015

The God Login

frank9

Ok, I guess I am Frank9 here.

yuck...Anyways...I

liked this

post Jeff. I am going to refer to this when I revise my login system to my CMS tool. I am dealing with an incremental rewrite with a designer in a few weeks and it definitely short circuits whats important and what is better than acceptable (I usually don't have the luxury to think about this stuff the way you guys did). So you taught me something useful today...I can't wait to see what else is up your sleeves on future projects. I have come to the conclusion that you and Sam and the Troutfish, make the internet a better place. Optimal Tip to Tip Efficiencies here. (second to last sentence is a honest sentiment

and the wording came out funny, and the last the joke(segway);

you get

and the wording came out funny, and the last the joke(segway); you get 9 Jan ▶

9

Jan erikheemskerk

and the wording came out funny, and the last the joke(segway); you get 9 Jan ▶
 

DenisSokolov

The idea is to accept both versions of a password always, effectively trading 1 bit of password security for a lot of user convenience.

9

Jan

and the wording came out funny, and the last the joke(segway); you get 9 Jan ▶
 
 

sa12

First time trying Discourse. Looks nice..

9

Jan

and the wording came out funny, and the last the joke(segway); you get 9 Jan ▶
 

digplan

Regarding your email is your

identity..

I think, you're identity

is your identity. Email Twitter Facebook these are best considered ­ not identities but means of verifying your identity. So your "identitly record" in a system is related to each of those, but not one of those defines it. For a long time I thought using email address as your de­facto identifier as a login name made good sense.

I'

ld

/

t

d

ht

d it t iki

t th

1/26/2015

The God Login

ng o e extent email is becoming much less relevant to the younger generation. They will inevitably have all of Twitter, Tumbler, Email address, and mobile phone number, but keying in on one as the God "identifier" if you will feels a little off.

m an o er guy (w a eenage aug er), an

s s r

The box with login w/Twitter, Facebook,

etc..

seems the right

solution for the present, but still feels not quite right, at least not totally elegant. A universal standard for internet identification of course would consolidate and simplify things, but not just the adoption by so many providers, but the

concerns about privacy and tracking to even get off the ground.

etc..

would seem difficult

  • 9 Jan

1/26/2015 The God Login ng o e extent email is becoming much less relevant to the

gmanjapan

One thing that's always bugged me is forms, like the Discourse one, that effectively have login and register on the same form but if I put my name/pass in one form don't carry them to the other.

In other words, I see both "log in" and "create new account" at the bottom. I type my username and password and click "create new account" expecting it to create a new account with the name and password I just typed. Instead it says Haha for typing your name/pass and clicking "create new account". Instead I'm going to discard what you just typed and make you type it again because that misleading button actually leads to a different form. F.U!

WHY!!!!

First you mislead me by putting 2 buttons that look like actions but one is not the action it claims it is. It's not going to "create a new account" it's going to "switch to the create new account form".

Second you waste time type and throw away my work. This is especially infuriating if I happened to enter that on mobile where typing is super tedious, especially if my password follows some crazy rules.

It seems like copying the name/pass from one form to the other (or making them the same form and hide/un­hide the extra fields for registering) would be more respectful of the user's time and slightly mitigate the fib that "create new account" doesn't actually create a new account.

  • 2 replies

  • 9 Jan

1/26/2015 The God Login ng o e extent email is becoming much less relevant to the

1/26/2015

The God Login

1/26/2015 The God Login Bob_ ​​ Wise codinghorror: If an account matches [email protected], you should

Bob_​​Wise

  • codinghorror:

If an account matches [email protected], you should receive an email with instructions on how to reset your password shortly.

Note the coy "if" there, which is a hedge against all the security implications of revealing whether a given email address exists on the site just by typing it into the forgot password form.

Malicious humans or bots can already figure out if an email address or username exists in the system by trying to make a new account with that email address or username. I don't think there is any advantage to trying to hide that information here.

1

reply

9

Jan DenisSokolov

1 reply 9 Jan ▶ DenisSokolov adregan Perhaps, but this wouldn't be very helpful for a

adregan

Perhaps, but this wouldn't be very helpful for a mixed case password (eg. for me, capslock + shift doesn't produce lowercase text).

9

Jan

1 reply 9 Jan ▶ DenisSokolov adregan Perhaps, but this wouldn't be very helpful for a

MT83

"I put on my robe and wizard hat."

1

reply

9

Jan

1 reply 9 Jan ▶ DenisSokolov adregan Perhaps, but this wouldn't be very helpful for a

ambiguator

OK, Jeff, how's this for instant feedback? (I registered just so I could submit this comment):

1/26/2015 The God Login Bob_ ​​ Wise codinghorror: If an account matches [email protected], you should

Easily switching between "login" and "register" is great.

1/26/2015

The God Login

But why did you delete my input? I had already typed my email address and password, thinking the "create new account" javascript trigger was a submit button. Now I'm frustrated that I had to retype it.

1/26/2015 The God Login But why did you delete my input? I had already typed my

When I click the "confirm" link from email, please send me back to the thing I was trying to do. Now I have 3 codinghorror tabs open (three!) plus my email. Just so I could post one comment.

9 Jan ▶ pnuk
9 Jan ▶ pnuk

JonCoder

That may sound great in theory, and maybe it's great for the Chinese market, but to that I have this that came to mind:

In the 10 years I've held the same email address, I've changed mobile numbers at least 4­5 times. And mobile numbers get recycled. I've gotten many phone calls directed at the previous owner of a phone number I recently acquired.

  • I would never consider using a mobile phone number as

identity due to how volatile they can be, at least in the western

world.

  • 9 Jan

1/26/2015 The God Login But why did you delete my input? I had already typed my

speising

  • i actually object to "email as username". i hate it when sites

require that, because it limits your options massively. and if someone hacks the user database of one site, they know your username, and possibly your password, on a lot of other sites. even without that, if they know your email (and we know a lot of spammers do) they can try it at those sites. regarding recoverymails: an email address is not the same as an email account! you need access to the latter to use the recovery mail feature.

  • 9 Jan

1/26/2015 The God Login But why did you delete my input? I had already typed my

reavy

An important feature to include is when logging into a website, there should either be a statement about the password policy or a tool­ti like thin to hover the cursor over to reveal the

1/26/2015

The God Login

p password requirements.

g

Sometimes when I'm in a rush to register on a site, I'll use a quick variation of a common inexpensive password I keep in my head, and I'll modify it to fit the password policy that site is enforcing. I'll then neglect to make a note of that registration in my password manager (if I were going to use the password manager, I suppose I'd have it generate my password anyway). When returning to the site later, having forgotten my registration, I'll try one that makes sense based on what I would have done for that site, but I'll get incorrect password errors.

It would be really nice, even if only after a first failed password attempt, for the site to tell me, "Hey, your password is wrong. It should be 8­40 alphanumeric characters, no hyphens or any other silliness." So that I'm not trying otherwise strong passwords that don't make any sense for that site.

Furthermore, when a site states a password policy while registering, it should darn well enforce the policy it states. It frustrating when it says certain characters are (dis)allowed and then proceeds to enforce some other hidden policy.

Edit: P.S. Also, please please don't truncate my password and then not tell me about it! It's ever so much fun when my password is shortened at registration by the form's character limit and then a different (longer) limit is encountered on the log in page and suddenly I don't have the correct password

anymore

1/26/2015 The God Login p password requirements. g Sometimes when I'm in a rush to register
  • 2 replies

  • 9 Jan

1/26/2015 The God Login p password requirements. g Sometimes when I'm in a rush to register

cavedog123

If using the email address as username, be sure to include a way to change that email address. My Steam account still

1/26/2015 The God Login p password requirements. g Sometimes when I'm in a rush to register

forces me to use my @yahoo.com address. At least a few years ago they allowed you to change your real address where email goes to.

  • 1 reply

  • 9 Jan Bob_Wise

1/26/2015 The God Login p password requirements. g Sometimes when I'm in a rush to register

Balfa

There's nothing to stop the "create new account" screen from allowin ou to enter an email address that's alread on record

1/26/2015

The God Login

y then instead of sending a "welcome to this site!" email, it will send a "zomg, somebody might be phishing for your account ­ or maybe you just forgot you already had an account here" email. Only the owner of the email account will be aware of the state of the system, and the attacker is none the wiser either way.

g y

,

1

reply

9

Jan cavedog123

1 reply 9 Jan ▶ cavedog123 davidzych Same thing for me, except a @hotmail address. 9
 

davidzych

Same thing for me, except a @hotmail address.

Same thing for me, except a @hotmail address.

9

Jan

1 reply 9 Jan ▶ cavedog123 davidzych Same thing for me, except a @hotmail address. 9
 

jon49

If the e­mail matches an e­mail in the database then why offer the register option at all? If the e­mail doesn't match then why offer the sign in option? If you are storing the session anyways you can get the ID once you know the e­mail is correct and then it will be really quick to test the password. You could show both sign­in/register at first, but as soon as the e­mail/username is filled in, there is no reason to show one or the other. That way, if the user put in the wrong e­mail they have immediate feed back.

9

Jan

1 reply 9 Jan ▶ cavedog123 davidzych Same thing for me, except a @hotmail address. 9
 

louiseroho

As a Web Developer, I thought about this issue and realized that cannot be a "One Login Method to Rule Then All" because if that login method gets hacked for one type of site, then every site that uses that specific tool is also hacked. So, every secure site must integrate with others, but still needs to have its own specific spore on the security.

9

Jan

1/26/2015 The God Login y then instead of sending a "welcome to this site!" email, it

erlend ​sh

1/26/2015

The God Login

_​

  • I find it a bit amusing that you show this:

1/26/2015 The God Login _​ I find it a bit amusing that you show this: And

And this:

1/26/2015 The God Login _​ I find it a bit amusing that you show this: And

so close together. Any particular reason why Discourse's "Sign Up" has not been renamed to "Register"?

...

  • 1 reply

  • 9 Jan

1/26/2015 The God Login _​ I find it a bit amusing that you show this: And

codinghorror

  • I downloaded my UVa transcript online to confirm, and indeed:

1/26/2015 The God Login _​ I find it a bit amusing that you show this: And

Pasted image1024x151 25.3 KB

Definitely the Pausch class, the timing and class title is consistent with his CV. I got a B!

1/26/2015 The God Login _​ I find it a bit amusing that you show this: And

And then check out the excitement of my last semester...

1/26/2015 The God Login _​ I find it a bit amusing that you show this: And

1/26/2015

The God Login

1/26/2015 The God Login Pasted image911x311 55.1 KB 1 reply 9 Jan timbojones You should either

Pasted image911x311 55.1 KB

1 reply
1
reply
  • 9 Jan

1/26/2015 The God Login Pasted image911x311 55.1 KB 1 reply 9 Jan timbojones You should either

timbojones

You should either fix typos in common email domains for them

No don't do this! What happens when actual user@gmal.com wants to register? It is impossible because the site 'corrects' the address.

or let them know about that.

Prompting "Did you mean user@gmail.com?" is a fine approach.

  • 9 Jan

1/26/2015 The God Login Pasted image911x311 55.1 KB 1 reply 9 Jan timbojones You should either

1/26/2015

The God Login

pbreit

Spot on. Except I don't like the 8 character password requirement for non­financial sites.

9

Jan

9 Jan zstewart There's a critical corollary to the principle of using email as identity ­
 

zstewart

There's a critical corollary to the principle of using email as identity ­ you need to confirm it before treating the account as a full user of the site! Or you get this.

9

Jan gmanjapan

9 Jan zstewart There's a critical corollary to the principle of using email as identity ­
 

Kendall1

This is my biggest pet peeve also. Whatever they user has gone to the trouble to type in, remember it. Not just the username but password too please!

9

Jan

9 Jan zstewart There's a critical corollary to the principle of using email as identity ­
 

Kendall1

One of the things I'm considering doing for a new project for

iOS is in fact the zero form login. You can save a custom UUID you generate into iCloud storage for an app and use that as a login ID and/or password (to send to a server), until such time as the user choses to give you more information to log in with. A user doesn't even know if they WANT to use your service/app yet, but so many systems throw the login wall up

right

it has to be dropping out many users. Let them

slowly lock down their account as it grows in importance to

them.

 

Another thing to consider is password strength requirements ­ think about who you are. If you are not a bank, if I cannot spend money through your system why do you have ANY REQUIREMENTS around your password at all? Let people use a stupid password they will remember, and then really crank up that afore­mentioned rate limiting to make guessing more than three times impractical. No it is NOT OK to require they use 1Password and the like.

1

reply

1/26/2015

The God Login

  • 9 Jan

1/26/2015 The God Login 9 Jan Harry_ ​​ Johnston Troy Hunt (in Introducing the “Secure Account

Harry_​​Johnston

Troy Hunt (in Introducing the “Secure Account Management Fundamentals” course) recommends advising the user that they don't have an account at that email address by email rather than on the web site. That avoids the information exposure; I can imagine there are people who don't want it known that they are registered with a particular site. (Even a site like Stack Overflow, because some bosses seem to really hate the idea that their employees might be helping "the enemy" whether it's on their own time or not.)

If you've got a lot of email addresses, this would be less convenient than the direct method. I'm not sure whether that's enough of a problem to enough people to justify allowing the information exposure.

Of course you then need anti­automation defenses to avoid spamming the innocent. That might well tip the balance.

  • 9 Jan

1/26/2015 The God Login 9 Jan Harry_ ​​ Johnston Troy Hunt (in Introducing the “Secure Account

johnlbevan

With regards to email; also ensure that users can register multiple email addresses against a single account; that way they don't need to recall which mail they used; all work the same way. Have a primary mail address for any notifications from the site (i.e. separate to login concerns), or better yet, allow the user to add conditions around mail use (this is my primary mail for useful notifications, this is my mail for newsletters / stuff I may read if bored).

10

Jan

10 Jan michelle_ ​ o Please be aware that keyboard use is not just for power

michelle_o

Please be aware that keyboard use is not just for power users or password managers. Keyboard navigation is essential for screen readers and is step 1 of testing your site for accessibility.

10

Jan jgustie

10 Jan michelle_ ​ o Please be aware that keyboard use is not just for power

1/26/2015

The God Login

scunliffe ​ 1 I believe there are attributes you can set on input fields to tell
 

scunliffe1

I believe there are attributes you can set on input fields to tell

the browser to not

login forms should add this

to the username field.

10

Jan

scunliffe ​ 1 I believe there are attributes you can set on input fields to tell
 

karissamck

You don't have two input password fields to verify the user's password upon signup. People might type it in wrong. You can't be serious when you say you have a good singup box, right?

2 replies

 

10

Jan stefan19

scunliffe ​ 1 I believe there are attributes you can set on input fields to tell
 

matthew_ickstadt

I have little hope for SQRL to ever become mainstream, but I really want it to.

10

Jan

scunliffe ​ 1 I believe there are attributes you can set on input fields to tell
 

msummerfield

Given the choices you have already made, your login dialog could be further simplified to just two fields and one "Login/Register" button. If there is no email address matching the user input, you can then ask if they would like to create a new account. If the password does not match, you can ask if they have forgotten their password, and would like a reset email sent.

In any event, you should never clear the text fields, so that if the user has simply made a typo it is easy to fix.

This would particularly suit me. If I want high security for a site (that does not provide two factor authentication), I often just use a really long random string as a password, that even I do not know, and then use the reset email as my primary way to access the account (setting a new long, random password on

1/26/2015

The God Login

my way back in). Always having exactly the same dialog would be my God login!

 

1 reply

10

Jan

1 reply 10 Jan Leo_ ​​ Nel In addition to Google, Facebook, Twitter, Yahoo and Github,

Leo_​​Nel

In addition to Google, Facebook, Twitter, Yahoo and Github, any reason why Microsoft account support is not provided as one of the options?

10

Jan Balfa

1 reply 10 Jan Leo_ ​​ Nel In addition to Google, Facebook, Twitter, Yahoo and Github,

Hamled

Well, there's one thing to stop people from doing that. Namely, such a solution basically requires a confirmation email is sent, received, opened, and the link clicked upon before that account can actually be used.

This in itself is a major source of lost users, and the reason why many organizations have made email confirmation optional in their sign up funnel.

Unless your service is truly reliant upon email integration for your users, you're probably better of using a combination of rate limiting and suspicious behavior identification.

10

Jan

1/26/2015 The God Login my way back in). Always having exactly the same dialog would be

Hamled

Forgive me if this has already been covered, but I think the idea of preventing people from signing up with popular passwords is at least a bit more problematic than it is helpful.

Initially I was going to complain that a mere 10,000 wasted attempts per hash wasn't that much, but it turns out that even in 2015 bcrypt, and especially scrypt, hold up incredibly well even with GPU hashing.

That said, I think what you're looking at is adding at most 20 minutes per hash (assuming they have to use CPUs) onto the cracking time if you're using a bcrypt factor of 10 or scrypt factor of 13 Check out this video for some interestin stats on

1/26/2015

The God Login

. that http://video.adm.ntnu.no/pres/5499318fcce2c.

g

And what do you trade for that? A large majority of your users, for most sites, are then forced to use a password that they don't normally use. A password they're likely to forget. If they even bother continuing to sign up after some stupid website told them their password was dumb. And it's not like the acceptable password they choose is going to be massively better, it'll probably still be in the top 100,000 or million passwords guessed by a competent cracking program.

Philosophically, I think it's my responsibility to assume that every single one of my users is so unconcerned about security that they really will make their password 'password' (or whatever minimum additions to that are required to fit my stated requirements). The best I can do is pick password­related technologies and designs that protect them as much as possible in the event of a breach.

The user's responsibility, OTOH, is to assume that I'm so unconcerned with their security that I'll store their passwords in plaintext. In that case they'd use a password manager, or insist upon a stronger technology like PAKE and/or two­factor auth. Sadly not enough users assume this, but we also can't make them.

10

Jan MT83

10 Jan ▶ MT83 dave_ ​ steinberg literally rushed to add this comment, in the hope,
 

dave_steinberg

literally rushed to add this comment, in the hope, however vain, that it would be the first. Alas...

I

10

Jan

10 Jan ▶ MT83 dave_ ​ steinberg literally rushed to add this comment, in the hope,
 

saurabhguptatwt

I

like the game. If we extend this outside the www domain.

Cop stops you and asks for your driving license. What will a

GOD require? He wouldn't stop you, just write you a ticket and withdraw fine from your bank account. Sounds freakish!

GOD require? He wouldn't stop you, just write you a ticket and withdraw fine from your

11

Jan

10 Jan ▶ MT83 dave_ ​ steinberg literally rushed to add this comment, in the hope,
 

andrekibbe

1/26/2015

The God Login

  • Kendall1:

If you are not a bank, if I cannot spend money through your system why do you have ANY REQUIREMENTS around your password at all?

Because the same login credentials are likely to be used on banks and other sensitive sites visited by the user. Since most people stick with passwords that are easy to remember, they're probably using them everywhere, so their security profile is a chain as strong as its weakest link. A hacker who's obtained hundreds of user logins is guaranteed to have at least a few dozen of those that are valid for BofA.com, PlayStation.com, etc.

 

1 reply

11

Jan

1 reply 11 Jan andrekibbe gmanjapan: It seems like copying the name/pass from one form to

andrekibbe

gmanjapan:

gmanjapan:

It seems like copying the name/pass from one form to the other (or making them the same form and hide/un­hide the extra fields for registering) would be more respectful of the user's time and slightly mitigate the fib that "create new account" doesn't actually create a new account.

With most registration tools only the encrypted version of the password is stored; it's hashed before being saved to the database. So there's no server­side access to the unencrypted password to populate the form with it. That's the same reason why most "Forgot your password?" links require a password reset, regardless of how annoying it is to the user.

Of course, forms could probably do some client­side validation and simply reject invalid submissions up front so that the password remains in the field.

11

Jan erlend_sh

1/26/2015 The God Login Kendall1: If you are not a bank, if I cannot spend money

andrekibbe

I disagree with the rather pedantic arguments in the left column implying that "Sign Up" and "Sign In" are indistinguishable. On the contrary, they're visually and grammatically consistent,

1/26/2015

The God Login

and since they're different buttons in the same region, users can easily parse that they're distinctly different options. This is what Tufte calls the Least Effective Difference. You don't need to accentuate the difference further by varying the wording or style. I personally find those superfluous differences aesthetically incoherent without offering any additional usability advantages in return.

11

Jan reavy

11 Jan ▶ reavy roelandsch I came across a lot of those password length limitations and

roelandsch

I

came across a lot of those password length limitations and

forbidden characters etc. One website even required me to use

a number in the username.

don't get why web sites need those limitations in the first place. I mean, they should just do SHA2(saltySalt + "correct

I

horse battery staple") anyway.

I

wonder what they're doing. Using their own basement­grown

hash? Or maybe they're not sure which characters will cause

mysql_query("INSERT INTO my_users VALUES ('$user', '$password')"); to break.

 

1 reply

12

Jan

11 Jan ▶ reavy roelandsch I came across a lot of those password length limitations and

t1oracle

Instead of telling users that they gave the wrong email address on the site, why don't you just send an email to them at that address telling them of the error? That way hackers can't use your form to expose user accounts. Within that email you can provide a link to recover the forgetten email address using security questions.

12

Jan roelandsch

1/26/2015 The God Login and since they're different buttons in the same region, users can easily

t1oracle

If they sanitized their inputs then all characters would be safe. Since they're hashing (salted bycrypt ) anyway (or should be) there is no need to worry about odd characters.

1/26/2015

The God Login

12 Jan

1/26/2015 The God Login 12 Jan World ​ Maker http://blog.codinghorror.com/the­god­login/ 35/35

WorldMaker