Transcript
A tumblr post saying "i really like this thing where websites will have separate “log in” & “sign up” buttons and if you click “log in” it takes you to a sign-up screen anyway so you have to click “i already have an account” and then it will ask if you want to sign in with your facebook account or with instagram or linkedin or deviantart or whatever, and if you choose “username & password” it asks if you want to put in your username or use your thumbprint, and once you put your username & password it emails you a confirmation code, and once you put in the code it says “do you want to give us your phone number for future sign-ins? do you want to sign up for facial recognition? do you want to give us your bones? give us your fucking bones?”
I came to the comments to post this exact complaint. I’m sure it’s considered more secure somehow, (maybe to prevent autofill attacks?) but at least code your fields properly so my password manager can auto detect the username field.
Also, phone number/ZIP code fields that pull up the full keyboard on mobile, instead of just the number pad. There’s no reason to show the entire keyboard, and phones have the ability to detect what kind of input the field wants… But website devs don’t bother coding their fields properly for numbers only, so the phone pulls up the full keyboard by default.
Lastly, 2FA fields that break paste. Like when it’s asking for a 6-digit TOTP code, and the field is actually broken up into two 3-digit fields instead.
countries with alphanumerical postal codes exist, so unless you are 100% sure, that your service won’t be used by someone from such a country, you’d better allow alphanumerical inputs in your postal code field. Addresses in general are tricky, because they work different across the globe, for example house numbers are not a thing everywhere, hell i am not sure if streetnames are a thing everywhere.
Feels like a security issue to me. You could put in literally anyone’s email address on a site that does this and immediately know if they have an account there or not. Even if you don’t know their password, you know something new about that person.
I feel you on all these other ones too. There’s a lot of UI/UX designers out there that need to be barred from that field forever.
in the uk post codes have letters
Auto fill attacks is a weird way of saying password managers. You know. Those things that make it easier to use good password practices and be more secure.
I mean, there’s a reason browsers moved towards asking to autofill. Back when browsers would just do it automatically, there were malicious pages/ads that would hide fake username+password fields offscreen. So when the ad loaded, the browser would try to be helpful and would autofill the info. Then the ad would simply capture the autofilled info, and now your account is compromised.
Autofill attacks were so awful because the browser automatically did it without asking first. It was literally a zero-click drive-by attack that nabbed your info without any prompting or alerts on the user’s end. So to try and combat this, browsers moved towards requiring a prompt.
Tangentially, malicious ads then started using clipboard attacks instead. The ad would simply request your clipboard data, because there was a very good chance that it was your password. That’s why browsers stopped allowing sites to request clipboard data at all, and now it requires the user to actually push the data via a Ctrl+v instead; Anyone who has used Google Docs/Google Sheets will be able to tell you that Right Click>Paste doesn’t work, and it’s because the site isn’t allowed to request access to your system’s clipboard.
That’s all very interesting and insightful, but I don’t see how a site putting username and password entry on separate screens helps mitigate any of this, unless they’re doing something like showing ads on the page that asks for the username but not the one that asks for the password? I typically use ad blockers so I genuinely don’t know what’s standard. My gut feeling would but they don’t show ads on those pages at all. Apart from sites that have username and password boxes on the main page. But that’s still no reason to split the password from the username if both are on a dedicated page with no ads. I don’t see how it would prevent against fake password entry boxes either. Most of those sound like things the browser would ultimately need to mitigate against since any site could be compromised. Obviously sites have some role in it too.
its because of SSO. if your company signs up for something that implements SSO then the tool will need your mail, recognizes that you‘re from company X, and forward you to yoir companys login page so ot can get an auth token
Yes, this, but I don’t think just for organization’s login pages. The email may also lead to a google sign in (for example) or some other single sign on (SSO). The site you are on needs to know the email to decide what to show next to continue the log in process.
That said, web devs should be coding the fields correctly.
sure, the company was just used as an example for people who dont know the term SSO
Github doesn’t use two screen login but also still works with sso.
KeePassXC lets you edit the auto-type for each individual password, so you can have it go
{USERNAME} {ENTER} {DELAY X} {PASSWORD} {ENTER}
x would be a number of milliseconds you may need for the next page to load in