Академический Документы
Профессиональный Документы
Культура Документы
TheGodLogin
CODING HORROR
programming and human factors
RESOURCES
About Me
@codinghorror
discourse.org
stackexchange.com
Recommended
Reading
Subscribe in a
reader
Subscribe via email
Coding Horror has been
continuously published
since 2004
09 Jan 2015
Traffic Stats
Copyright Jeff Atwood
2015
C. McConnell
http://blog.codinghorror.com/thegodlogin/
1/35
1/26/2015
TheGodLogin
http://blog.codinghorror.com/thegodlogin/
2/35
1/26/2015
TheGodLogin
3/35
1/26/2015
TheGodLogin
http://blog.codinghorror.com/thegodlogin/
4/35
1/26/2015
TheGodLogin
5/35
1/26/2015
TheGodLogin
http://blog.codinghorror.com/thegodlogin/
6/35
1/26/2015
TheGodLogin
http://blog.codinghorror.com/thegodlogin/
7/35
1/26/2015
TheGodLogin
And both can be kicked off directly from any page via
the Sign Up and Log In buttons at the top right:
http://blog.codinghorror.com/thegodlogin/
8/35
1/26/2015
TheGodLogin
http://blog.codinghorror.com/thegodlogin/
9/35
1/26/2015
TheGodLogin
10/35
1/26/2015
TheGodLogin
http://blog.codinghorror.com/thegodlogin/
11/35
1/26/2015
TheGodLogin
http://blog.codinghorror.com/thegodlogin/
12/35
1/26/2015
TheGodLogin
http://blog.codinghorror.com/thegodlogin/
13/35
1/26/2015
TheGodLogin
14/35
1/26/2015
TheGodLogin
Stu
I forgot
15/35
1/26/2015
TheGodLogin
Written by Je
Atwood
ContinueDiscussion79replies
9Jan
Mad
Overlord
Onesubtletweak...theSignInandNewAccountbuttons
shouldhavesomespacebetweenthem,toreducethechanceof
amisclick.Andthe"expected"actionshouldbetheone
directlybelowthename/passwordfields.
9Jan
kram
1032
Ifinditkindofweirdthatthe"Login"buttonlooksdifferentin
differentplaces:
Once,it'sanopenlock,andonceaperson.Isthereany
particularreasonforthat?
9Jan
http://blog.codinghorror.com/thegodlogin/
kersti
16/35
1/26/2015
kersti
TheGodLogin
Allverygoodpoints,anditleadstoadiscussionabout
passwordsingeneral.Pethateofmineiswebsitesthatdon't
allowanythingotherthanalphanumericcharacters,tomymind
thesiteitselfisnotsecurewhentheywon'tletmeuse!inthe
middleofmypasswordstring.
Haverecentlyhadtogiveupanaccountbecausethesite
decidedthatafewfailedloginattempts(thankstoa2yearold)
wasasecurityrisk,sotheychangedmypasswordforme(gee
thanks).Theywon'tshowmealloftheemailaddressalthough
fromwhattheydidshowmeIcouldfigureoutwhichoneit
wasandtheirforgotpasswordemailneverarrives(apparently
acommonproblemwiththisverylargesite).Naturallyof
coursethereisnowaytocontactanyonethereeither.
AndinasiteIrunIoftengetpeopletryingtobereunitedwith
accountswheretheyhavenomatchinginformation,yetthey
claimthattheyaretheownerbuttheyusedfalseinfofor
privacyreasonsifallI'vegottogoonisanemailaddress,
firstnameandbirthdateandyou'vechangedthosethenI'mnot
givingyouthisoldaccount!I'msettingupapageofsecurity
questionstohopefullytacklethatinthefuture.
9Jan
marioawad
Iyoudon'trespectthe{USERNAME}{TAB}{PASSWORD}
{ENTER}sequenceonyourloginform,meandmyfriend
KeePasswillbeconstantlylookingforanotheralternative
website.Thatandalsomakingsurethetitleofyourloginpage
includesyourwebsite'snameandnotonlyageneric"LogIn"
title.
1reply
9Jan
pnuk
codinghorror:
Thus,emailisyouridentity.
Unlessit'syourmobilephonenumber:ChineseMobileAppUI
Trends
1reply
http://blog.codinghorror.com/thegodlogin/
17/35
1/26/2015
TheGodLogin
9Janmarioawad
Pommes
Maybethesepluginscanhelpyouwiththe"login"titles:
http://keepass.info/plugins.html#urlintitle
ThesepluginsshowtheURLofthewebsiteinthetitlebar.
1reply
9Jan
Papuass_
Abitofftopic,butthishastobecutestloginformfromall.Try
enteringpassword:
https://dash.readme.io/login
1reply
9JanPommes
marioawad
Thisisawesome.Thankyou.I'llkeepthoseinmindforthe
futureascurrentlyIhavenowebsiteswiththisproblemasI
justleavethembehindhehe.AndIhavemorethan400entries
inKeePass
9Jan
Denis
Sokolov
Considernotgivingtheuserabigandscarwarningaboutcaps
lock,butinsteadcheckhispasswordagainstacaseinverted
versionofitself.
2replies
9Jan
http://blog.codinghorror.com/thegodlogin/
stefan
19
18/35
1/26/2015
TheGodLogin
stefan
19
HaveyouthoughtaboutsupportingSQRLinthefuture?Login
withoutusername,passwordoremail.Veryclosetotheway
godwouldhavedesignedit.
1reply
9JanDenisSokolov
erikheemskerk
SeemslikeabadideaalotofpeopleuseCapsLockasan
'easierway'totypelotsofcharactersincapitals.Andtheymay
notuseitconsistently.Whentheydidn'tuseitwhensigningup
orchangingtheirpasswordbuttheyareusingitnow,youwill
getamismatchandyou'llbepunishingthemfornotbeing
consistent.Thatwouldbebadform.
1reply
9Jan
jaginsberg
Alotofusersendupbeingbehindthesameproxyexitservers,
andthushavingthesamesmallpoolofIPaddressesbackin
theday,AOLwasthebiggestoffenderhere.Becarefulthat
ratelimitingbadloginsbyincomingIPaddressdoesn'tmake
lifehelloratleastveryconfusingfortheseusers.Perhaps
makeitbasedonthecombinationofemailaddressPLUSIP
address.
9Jan
jgustie
Anotheronethatdrivesmenutsistheautocapsofthefirst
letterinatextinputappliedbyMobileSafari:givingthe
browseranindicationthatthefieldisanemailorusernameisa
must.
1reply
9Jan
http://blog.codinghorror.com/thegodlogin/
19/35
1/26/2015
TheGodLogin
frank
9
Ok,IguessIamFrank9here.yuck...Anyways...Ilikedthis
postJeff.IamgoingtorefertothiswhenIrevisemylogin
systemtomyCMStool.Iamdealingwithanincremental
rewritewithadesignerinafewweeksanditdefinitelyshort
circuitswhatsimportantandwhatisbetterthanacceptable(I
usuallydon'thavetheluxurytothinkaboutthisstufftheway
youguysdid).Soyoutaughtmesomethingusefultoday...I
can'twaittoseewhatelseisupyoursleevesonfutureprojects.
IhavecometotheconclusionthatyouandSamandthe
Troutfish,maketheinternetabetterplace.OptimalTiptoTip
Efficiencieshere.(secondtolastsentenceisahonestsentiment
andthewordingcameoutfunny,andthelastone...wellyouget
thejoke(segway)
9Janerikheemskerk
Denis
Sokolov
Theideaistoacceptbothversionsofapasswordalways,
effectivelytrading1bitofpasswordsecurityforalotofuser
convenience.
9Jan
sa
12
FirsttimetryingDiscourse.Looksnice..
9Jan
digplan
Regardingyouremailisyouridentity..Ithink,you'reidentity
isyouridentity.EmailTwitterFacebookthesearebest
considerednotidentitiesbutmeansofverifyingyouridentity.
Soyour"identitlyrecord"inasystemisrelatedtoeachof
those,butnotoneofthosedefinesit.ForalongtimeIthought
usingemailaddressasyourdefactoidentifierasaloginname
madegoodsense.
http://blog.codinghorror.com/thegodlogin/
I'manolderguy(w/ateenagedaughter),anditsstrikingtothe
20/35
1/26/2015
TheGodLogin
I'manolderguy(w/ateenagedaughter),anditsstrikingtothe
extentemailisbecomingmuchlessrelevanttotheyounger
generation.TheywillinevitablyhaveallofTwitter,Tumbler,
Emailaddress,andmobilephonenumber,butkeyinginonone
astheGod"identifier"ifyouwillfeelsalittleoff.
Theboxwithloginw/Twitter,Facebook,etc..seemstheright
solutionforthepresent,butstillfeelsnotquiteright,atleast
nottotallyelegant.Auniversalstandardforinternet
identificationofcoursewouldconsolidateandsimplifythings,
butnotjusttheadoptionbysomanyproviders,butthe
concernsaboutprivacyandtrackingetc..wouldseemdifficult
toevengetofftheground.
9Jan
gmanjapan
Onethingthat'salwaysbuggedmeisforms,liketheDiscourse
one,thateffectivelyhaveloginandregisteronthesameform
butifIputmyname/passinoneformdon'tcarrythemtothe
other.
Inotherwords,Iseeboth"login"and"createnewaccount"at
thebottom.Itypemyusernameandpasswordandclick"create
newaccount"expectingittocreateanewaccountwiththe
nameandpasswordIjusttyped.InsteaditsaysHahafortyping
yourname/passandclicking"createnewaccount".InsteadI'm
goingtodiscardwhatyoujusttypedandmakeyoutypeit
againbecausethatmisleadingbuttonactuallyleadstoa
differentform.F.U!
WHY!!!!
Firstyoumisleadmebyputting2buttonsthatlooklikeactions
butoneisnottheactionitclaimsitis.It'snotgoingto"createa
newaccount"it'sgoingto"switchtothecreatenewaccount
form".
Secondyouwastetimetypeandthrowawaymywork.Thisis
especiallyinfuriatingifIhappenedtoenterthatonmobile
wheretypingissupertedious,especiallyifmypassword
followssomecrazyrules.
Itseemslikecopyingthename/passfromoneformtotheother
(ormakingthemthesameformandhide/unhidetheextra
fieldsforregistering)wouldbemorerespectfuloftheuser's
timeandslightlymitigatethefibthat"createnewaccount"
doesn'tactuallycreateanewaccount.
2replies
9Jan
http://blog.codinghorror.com/thegodlogin/
21/35
1/26/2015
TheGodLogin
Bob_
Wise
codinghorror:
Ifanaccountmatches[emailprotected],you
shouldreceiveanemailwithinstructionsonhow
toresetyourpasswordshortly.
Notethecoy"if"there,whichisahedgeagainst
allthesecurityimplicationsofrevealingwhethera
givenemailaddressexistsonthesitejustby
typingitintotheforgotpasswordform.
Malicioushumansorbotscanalreadyfigureoutifanemail
addressorusernameexistsinthesystembytryingtomakea
newaccountwiththatemailaddressorusername.Idon'tthink
thereisanyadvantagetotryingtohidethatinformationhere.
1reply
9JanDenisSokolov
adregan
Perhaps,butthiswouldn'tbeveryhelpfulforamixedcase
password(eg.forme,capslock+shiftdoesn'tproduce
lowercasetext).
9Jan
MT
83
"Iputonmyrobeandwizardhat."
1reply
9Jan
ambiguator
OK,Jeff,how'sthisforinstantfeedback?(IregisteredjustsoI
couldsubmitthiscomment):
http://blog.codinghorror.com/thegodlogin/
Easilyswitchingbetween"login"and"register"isgreat.
Butwhydidyoudeletemyinput?Ihadalreadytyped
22/35
1/26/2015
TheGodLogin
Butwhydidyoudeletemyinput?Ihadalreadytyped
myemailaddressandpassword,thinkingthe"createnew
account"javascripttriggerwasasubmitbutton.NowI'm
frustratedthatIhadtoretypeit.
WhenIclickthe"confirm"linkfromemail,pleasesend
mebacktothethingIwastryingtodo.NowIhave3
codinghorrortabsopen(three!)plusmyemail.JustsoI
couldpostonecomment.
9Janpnuk
Jon
Coder
Thatmaysoundgreatintheory,andmaybeit'sgreatforthe
Chinesemarket,buttothatIhavethisthatcametomind:
Inthe10yearsI'veheldthesameemailaddress,I'vechanged
mobilenumbersatleast45times.
Andmobilenumbersgetrecycled.I'vegottenmanyphone
callsdirectedatthepreviousownerofaphonenumberI
recentlyacquired.
Iwouldneverconsiderusingamobilephonenumberas
identityduetohowvolatiletheycanbe,atleastinthewestern
world.
9Jan
speising
iactuallyobjectto"emailasusername".ihateitwhensites
requirethat,becauseitlimitsyouroptionsmassively.andif
someonehackstheuserdatabaseofonesite,theyknowyour
username,andpossiblyyourpassword,onalotofothersites.
evenwithoutthat,iftheyknowyouremail(andweknowalot
ofspammersdo)theycantryitatthosesites.
regardingrecoverymails:anemailaddressisnotthesameasan
emailaccount!youneedaccesstothelattertousetherecovery
mailfeature.
9Jan
reavy
Animportantfeaturetoincludeiswhenloggingintoawebsite,
thereshouldeitherbeastatementaboutthepasswordpolicyor
atooltiplikethingtohoverthecursorovertorevealthe
http://blog.codinghorror.com/thegodlogin/
23/35
1/26/2015
TheGodLogin
atooltiplikethingtohoverthecursorovertorevealthe
passwordrequirements.
SometimeswhenI'minarushtoregisteronasite,I'llusea
quickvariationofacommoninexpensivepasswordIkeepin
myhead,andI'llmodifyittofitthepasswordpolicythatsiteis
enforcing.I'llthenneglecttomakeanoteofthatregistrationin
mypasswordmanager(ifIweregoingtousethepassword
manager,IsupposeI'dhaveitgeneratemypasswordanyway).
Whenreturningtothesitelater,havingforgottenmy
registration,I'lltryonethatmakessensebasedonwhatIwould
havedoneforthatsite,butI'llgetincorrectpassworderrors.
Itwouldbereallynice,evenifonlyafterafirstfailedpassword
attempt,forthesitetotellme,"Hey,yourpasswordiswrong.
Itshouldbe840alphanumericcharacters,nohyphensorany
othersilliness."SothatI'mnottryingotherwisestrong
passwordsthatdon'tmakeanysenseforthatsite.
Furthermore,whenasitestatesapasswordpolicywhile
registering,itshoulddarnwellenforcethepolicyitstates.It
frustratingwhenitsayscertaincharactersare(dis)allowedand
thenproceedstoenforcesomeotherhiddenpolicy.
Edit:P.S.Also,pleasepleasedon'ttruncatemypasswordand
thennottellmeaboutit!It'seversomuchfunwhenmy
passwordisshortenedatregistrationbytheform'scharacter
limitandthenadifferent(longer)limitisencounteredonthe
loginpageandsuddenlyIdon'thavethecorrectpassword
anymore
2replies
9Jan
cavedog
123
Ifusingtheemailaddressasusername,besuretoincludea
waytochangethatemailaddress.MySteamaccountstill
forcesmetousemy@yahoo.comaddress. Atleastafew
yearsagotheyallowedyoutochangeyourrealaddresswhere
emailgoesto.
1reply
9JanBob_Wise
Balfa
There'snothingtostopthe"createnewaccount"screenfrom
allowingyoutoenteranemailaddressthat'salreadyonrecord,
http://blog.codinghorror.com/thegodlogin/
24/35
1/26/2015
TheGodLogin
allowingyoutoenteranemailaddressthat'salreadyonrecord,
theninsteadofsendinga"welcometothissite!"email,itwill
senda"zomg,somebodymightbephishingforyouraccount
ormaybeyoujustforgotyoualreadyhadanaccounthere"
email.Onlytheowneroftheemailaccountwillbeawareof
thestateofthesystem,andtheattackerisnonethewisereither
way.
1reply
9Jancavedog123
davidzych
Samethingforme,excepta@hotmailaddress.
9Jan
jon
49
Iftheemailmatchesanemailinthedatabasethenwhyoffer
theregisteroptionatall?Iftheemaildoesn'tmatchthenwhy
offerthesigninoption?Ifyouarestoringthesession
anywaysyoucangettheIDonceyouknowtheemailis
correctandthenitwillbereallyquicktotestthepassword.
Youcouldshowbothsignin/registeratfirst,butassoonasthe
email/usernameisfilledin,thereisnoreasontoshowoneor
theother.Thatway,iftheuserputinthewrongemailthey
haveimmediatefeedback.
9Jan
louiseroho
AsaWebDeveloper,Ithoughtaboutthisissueandrealized
thatcannotbea"OneLoginMethodtoRuleThenAll"because
ifthatloginmethodgetshackedforonetypeofsite,thenevery
sitethatusesthatspecifictoolisalsohacked.So,everysecure
sitemustintegratewithothers,butstillneedstohaveitsown
specificsporeonthesecurity.
9Jan
erlend_
sh
http://blog.codinghorror.com/thegodlogin/
25/35
1/26/2015
erlend_
sh
TheGodLogin
Ifinditabitamusingthatyoushowthis:
Andthis:
...soclosetogether.AnyparticularreasonwhyDiscourse's
"SignUp"hasnotbeenrenamedto"Register"?
1reply
9Jan
codinghorror
IdownloadedmyUVatranscriptonlinetoconfirm,andindeed:
Pastedimage1024x15125.3KB
DefinitelythePauschclass,thetimingandclasstitleis
consistentwithhisCV.IgotaB!
Andthencheckouttheexcitementofmylastsemester...
http://blog.codinghorror.com/thegodlogin/
26/35
1/26/2015
TheGodLogin
Pastedimage911x31155.1KB
1reply
9Jan
timbojones
Youshouldeitherfixtyposincommonemail
domainsforthem
Nodon'tdothis!Whathappenswhenactualuser@gmal.com
wantstoregister?Itisimpossiblebecausethesite'corrects'the
address.
orletthemknowaboutthat.
Prompting"Didyoumeanuser@gmail.com?"isafine
approach.
9Jan
http://blog.codinghorror.com/thegodlogin/
pbreit
27/35
1/26/2015
pbreit
TheGodLogin
Spoton.ExceptIdon'tlikethe8characterpassword
requirementfornonfinancialsites.
9Jan
zstewart
There'sacriticalcorollarytotheprincipleofusingemailas
identityyouneedtoconfirmitbeforetreatingtheaccountasa
fulluserofthesite!Oryougetthis.
9Jangmanjapan
Kendall
1
Thisismybiggestpetpeevealso.Whatevertheyuserhasgone
tothetroubletotypein,rememberit.Notjusttheusernamebut
passwordtooplease!
9Jan
Kendall
1
OneofthethingsI'mconsideringdoingforanewprojectfor
iOSisinfactthezeroformlogin.Youcansaveacustom
UUIDyougenerateintoiCloudstorageforanappandusethat
asaloginIDand/orpassword(tosendtoaserver),untilsuch
timeastheuserchosestogiveyoumoreinformationtologin
with.Auserdoesn'tevenknowiftheyWANTtouseyour
service/appyet,butsomanysystemsthrowtheloginwallup
rightaway...ithastobedroppingoutmanyusers.Letthem
slowlylockdowntheiraccountasitgrowsinimportanceto
them.
Anotherthingtoconsiderispasswordstrengthrequirements
thinkaboutwhoyouare.Ifyouarenotabank,ifIcannot
spendmoneythroughyoursystemwhydoyouhaveANY
REQUIREMENTSaroundyourpasswordatall?Letpeople
useastupidpasswordtheywillremember,andthenreally
crankupthataforementionedratelimitingtomakeguessing
morethanthreetimesimpractical.NoitisNOTOKtorequire
theyuse1Passwordandthelike.
1reply
http://blog.codinghorror.com/thegodlogin/
28/35
1/26/2015
1reply
9Jan
TheGodLogin
Harry_
Johnston
TroyHunt(inIntroducingtheSecureAccountManagement
Fundamentalscourse)recommendsadvisingtheuserthatthey
don'thaveanaccountatthatemailaddressbyemailratherthan
onthewebsite.ThatavoidstheinformationexposureIcan
imaginetherearepeoplewhodon'twantitknownthattheyare
registeredwithaparticularsite.(EvenasitelikeStack
Overflow,becausesomebossesseemtoreallyhatetheidea
thattheiremployeesmightbehelping"theenemy"whetherit's
ontheirowntimeornot.)
Ifyou'vegotalotofemailaddresses,thiswouldbeless
convenientthanthedirectmethod.I'mnotsurewhetherthat's
enoughofaproblemtoenoughpeopletojustifyallowingthe
informationexposure.
Ofcourseyouthenneedantiautomationdefensestoavoid
spammingtheinnocent.Thatmightwelltipthebalance.
9Jan
johnlbevan
Withregardstoemailalsoensurethatuserscanregister
multipleemailaddressesagainstasingleaccountthatway
theydon'tneedtorecallwhichmailtheyusedallworkthe
sameway.Haveaprimarymailaddressforanynotifications
fromthesite(i.e.separatetologinconcerns),orbetteryet,
allowtheusertoaddconditionsaroundmailuse(thisismy
primarymailforusefulnotifications,thisismymailfor
newsletters/stuffImayreadifbored).
10Jan
michelle_
o
Pleasebeawarethatkeyboarduseisnotjustforpowerusersor
passwordmanagers.Keyboardnavigationisessentialfor
screenreadersandisstep1oftestingyoursiteforaccessibility.
10Janjgustie
http://blog.codinghorror.com/thegodlogin/
29/35
1/26/2015
TheGodLogin
scunliffe
1
Ibelievethereareattributesyoucansetoninputfieldstotell
thebrowsertonotautocapitalize...loginformsshouldaddthis
totheusernamefield.
10Jan
karissamck
Youdon'thavetwoinputpasswordfieldstoverifytheuser's
passworduponsignup.Peoplemighttypeitinwrong.You
can'tbeseriouswhenyousayyouhaveagoodsingupbox,
right?
2replies
10Janstefan19
matthew_
ickstadt
IhavelittlehopeforSQRLtoeverbecomemainstream,butI
reallywantitto.
10Jan
msummerfield
Giventhechoicesyouhavealreadymade,yourlogindialog
couldbefurthersimplifiedtojusttwofieldsandone
"Login/Register"button.Ifthereisnoemailaddressmatching
theuserinput,youcanthenaskiftheywouldliketocreatea
newaccount.Ifthepassworddoesnotmatch,youcanaskif
theyhaveforgottentheirpassword,andwouldlikeareset
emailsent.
Inanyevent,youshouldneverclearthetextfields,sothatif
theuserhassimplymadeatypoitiseasytofix.
Thiswouldparticularlysuitme.IfIwanthighsecurityfora
site(thatdoesnotprovidetwofactorauthentication),Ioften
justuseareallylongrandomstringasapassword,thatevenI
donotknow,andthenusetheresetemailasmyprimaryway
toaccesstheaccount(settinganewlong,randompasswordon
http://blog.codinghorror.com/thegodlogin/
30/35
1/26/2015
TheGodLogin
toaccesstheaccount(settinganewlong,randompasswordon
mywaybackin).Alwayshavingexactlythesamedialog
wouldbemyGodlogin!
1reply
10Jan
Leo_
Nel
InadditiontoGoogle,Facebook,Twitter,YahooandGithub,
anyreasonwhyMicrosoftaccountsupportisnotprovidedas
oneoftheoptions?
10JanBalfa
Hamled
Well,there'sonethingtostoppeoplefromdoingthat.Namely,
suchasolutionbasicallyrequiresaconfirmationemailissent,
received,opened,andthelinkclickeduponbeforethataccount
canactuallybeused.
Thisinitselfisamajorsourceoflostusers,andthereasonwhy
manyorganizationshavemadeemailconfirmationoptionalin
theirsignupfunnel.
Unlessyourserviceistrulyreliantuponemailintegrationfor
yourusers,you'reprobablybetterofusingacombinationof
ratelimitingandsuspiciousbehavioridentification.
10Jan
Hamled
Forgivemeifthishasalreadybeencovered,butIthinkthe
ideaofpreventingpeoplefromsigningupwithpopular
passwordsisatleastabitmoreproblematicthanitishelpful.
InitiallyIwasgoingtocomplainthatamere10,000wasted
attemptsperhashwasn'tthatmuch,butitturnsoutthatevenin
2015bcrypt,andespeciallyscrypt,holdupincrediblywell
evenwithGPUhashing.
http://blog.codinghorror.com/thegodlogin/
Thatsaid,Ithinkwhatyou'relookingatisaddingatmost20
minutesperhash(assumingtheyhavetouseCPUs)ontothe
crackingtimeifyou'reusingabcryptfactorof10orscrypt
factorof13.Checkoutthisvideoforsomeinterestingstatson
31/35
1/26/2015
TheGodLogin
factorof13.Checkoutthisvideoforsomeinterestingstatson
thathttp://video.adm.ntnu.no/pres/5499318fcce2c.
Andwhatdoyoutradeforthat?Alargemajorityofyourusers,
formostsites,arethenforcedtouseapasswordthattheydon't
normallyuse.Apasswordthey'relikelytoforget.Iftheyeven
bothercontinuingtosignupaftersomestupidwebsitetold
themtheirpasswordwasdumb.Andit'snotliketheacceptable
passwordtheychooseisgoingtobemassivelybetter,it'll
probablystillbeinthetop100,000ormillionpasswords
guessedbyacompetentcrackingprogram.
Philosophically,Ithinkit'smyresponsibilitytoassumethat
everysingleoneofmyusersissounconcernedaboutsecurity
thattheyreallywillmaketheirpassword'password'(or
whateverminimumadditionstothatarerequiredtofitmy
statedrequirements).ThebestIcandoispickpasswordrelated
technologiesanddesignsthatprotectthemasmuchaspossible
intheeventofabreach.
Theuser'sresponsibility,OTOH,istoassumethatI'mso
unconcernedwiththeirsecuritythatI'llstoretheirpasswordsin
plaintext.Inthatcasethey'duseapasswordmanager,orinsist
uponastrongertechnologylikePAKEand/ortwofactorauth.
Sadlynotenoughusersassumethis,butwealsocan'tmake
them.
10JanMT83
dave_
steinberg
Iliterallyrushedtoaddthiscomment,inthehope,however
vain,thatitwouldbethefirst.Alas...
10Jan
saurabhguptatwt
Ilikethegame.Ifweextendthisoutsidethewwwdomain.
Copstopsyouandasksforyourdrivinglicense.Whatwilla
GODrequire?Hewouldn'tstopyou,justwriteyouaticketand
withdrawfinefromyourbankaccount.Soundsfreakish!
11Jan
andrekibbe
http://blog.codinghorror.com/thegodlogin/
32/35
1/26/2015
TheGodLogin
Kendall1:
Ifyouarenotabank,ifIcannotspendmoney
throughyoursystemwhydoyouhaveANY
REQUIREMENTSaroundyourpasswordatall?
Becausethesamelogincredentialsarelikelytobeusedon
banksandothersensitivesitesvisitedbytheuser.Sincemost
peoplestickwithpasswordsthatareeasytoremember,they're
probablyusingthemeverywhere,sotheirsecurityprofileisa
chainasstrongasitsweakestlink.Ahackerwho'sobtained
hundredsofuserloginsisguaranteedtohaveatleastafew
dozenofthosethatarevalidforBofA.com,PlayStation.com,
etc.
1reply
11Jan
andrekibbe
gmanjapan:
Itseemslikecopyingthename/passfromoneform
totheother(ormakingthemthesameformand
hide/unhidetheextrafieldsforregistering)would
bemorerespectfuloftheuser'stimeandslightly
mitigatethefibthat"createnewaccount"doesn't
actuallycreateanewaccount.
Withmostregistrationtoolsonlytheencryptedversionofthe
passwordisstoredit'shashedbeforebeingsavedtothe
database.Sothere'snoserversideaccesstotheunencrypted
passwordtopopulatetheformwithit.That'sthesamereason
whymost"Forgotyourpassword?"linksrequireapassword
reset,regardlessofhowannoyingitistotheuser.
Ofcourse,formscouldprobablydosomeclientsidevalidation
andsimplyrejectinvalidsubmissionsupfrontsothatthe
passwordremainsinthefield.
11Janerlend_sh
andrekibbe
http://blog.codinghorror.com/thegodlogin/
Idisagreewiththeratherpedanticargumentsintheleftcolumn
implyingthat"SignUp"and"SignIn"areindistinguishable.
Onthecontrary,they'revisuallyandgrammaticallyconsistent,
andsincethey'redifferentbuttonsinthesameregion,userscan
33/35
1/26/2015
TheGodLogin
andsincethey'redifferentbuttonsinthesameregion,userscan
easilyparsethatthey'redistinctlydifferentoptions.Thisis
whatTuftecallstheLeastEffectiveDifference.Youdon'tneed
toaccentuatethedifferencefurtherbyvaryingthewordingor
style.Ipersonallyfindthosesuperfluousdifferences
aestheticallyincoherentwithoutofferinganyadditional
usabilityadvantagesinreturn.
11Janreavy
roelandsch
Icameacrossalotofthosepasswordlengthlimitationsand
forbiddencharactersetc.Onewebsiteevenrequiredmetouse
anumberintheusername.
Idon'tgetwhywebsitesneedthoselimitationsinthefirst
place.Imean,theyshouldjustdoSHA2(saltySalt+"correct
horsebatterystaple")anyway.
Iwonderwhatthey'redoing.Usingtheirownbasementgrown
hash?Ormaybethey'renotsurewhichcharacterswillcause
mysql_query("INSERTINTOmy_usersVALUES('$user',
'$password')");tobreak.
1reply
12Jan
t
1oracle
Insteadoftellingusersthattheygavethewrongemailaddress
onthesite,whydon'tyoujustsendanemailtothematthat
addresstellingthemoftheerror?Thatwayhackerscan'tuse
yourformtoexposeuseraccounts.Withinthatemailyoucan
providealinktorecovertheforgettenemailaddressusing
securityquestions.
12Janroelandsch
t
1oracle
Iftheysanitizedtheirinputsthenallcharacterswouldbesafe.
Sincethey'rehashing(saltedbycrypt)anyway(orshouldbe)
thereisnoneedtoworryaboutoddcharacters.
http://blog.codinghorror.com/thegodlogin/
12Jan
34/35
1/26/2015
TheGodLogin
12Jan
World
Maker
http://blog.codinghorror.com/thegodlogin/
35/35