• @GlitterInfection
    link
    English
    518 months ago

    Display one form field at a time for an economical layout

    Preferably not when asking for username and password, since that messes with password manager autofill.

    • jadero
      link
      fedilink
      197 months ago

      And yet more sites do it, even on desktop. As far as I can tell, most of them are also doing it in a way that breaks security by validating the username before asking for the password.

      • Ephera
        link
        fedilink
        107 months ago

        I know that single sign-on can be integrated that way.

        For example, let’s say you work at Wheezecakes Inc. and want to log into your programming.dev account. Then you’d type your e-mail address, [email protected], into the username field and hit enter.

        The webpage sends that to the server, which realizes that you’re a Wheezecakes employee, so it redirects you to login.wheezecakes.com or whatever SSO provider is in use, you log in there (or ideally already have a login cookie), and then programming.dev just gets told that, yeah, you’re authenticated to login.

        So, while it’s obviously possible that webpages genuinely do this wrong, you’re probably seeing such SSO integration and they’re not actually validating the username ahead of time.

        • jadero
          link
          fedilink
          87 months ago

          I have seen some that seem to be doing that kind of thing, but many others that will reject a bad username before asking for a password.

          To double check, I just now tried putting a known bad email address into the username field for amazon.ca and was not then asked for a password, but told that no account could be found.

          My possibly flawed understanding of login security is that a failed login should reveal nothing about why the login failed in order to prevent information leakage that can be exploited.

          • Ephera
            link
            fedilink
            47 months ago

            Hmm, interesting.

            And yeah, that is my understanding, too. If an attacker knows that a certain e-mail address has an account associated, they might try to bruteforce the password or send a phishing mail to that e-mail address, which looks like an official mail from Amazon.

            I’m guessing, Amazon requires 2FA, which would protect from this to some degree, but still seems unnecessary to hand out information like that.

            • jadero
              link
              fedilink
              27 months ago

              Amazon allows 2FA, but I’m pretty sure they don’t require it.

    • @[email protected]
      link
      fedilink
      38 months ago

      Not always, i think. There are some SSO solutions that behave like this, and password gets filled in fine.

      • @[email protected]
        link
        fedilink
        English
        57 months ago

        Yeah, it’s possible to get it to work with password managers. I believe it has to do with ensuring the password field still exists on the page when the username is shown.

    • @AnUnusualRelic
      link
      3
      edit-2
      7 months ago

      Even one character at a time, since our screens are so small these days.

  • @solrize
    link
    17 months ago

    This article is actually sort of useful. Thanks.