Howsoever long the path may be, you can always rely on Long Path Tool. Its sure to sort out your problem.
Biometrics could be used to replace the email and password?
Smartphones, tablets and notebooks come with front cameras and microphones. Even TVs are getting these.
Your appearance might change with aging, but not that much. Haircut, glasses, beard and so on can be filtered out.
Problem is: what if you become disfigured. Or looses the ability to speakâŚ
Just noticed this today on one of my favorite sites and felt it must be sharedâŚ
[When Jeff Atwood Likes Us][1]
[1]: http://thejoysofcode.tumblr.com/post/37835116147/when-jeff-atwood-likes-us
1 Like
I prefer just using Facebook or Google+ to login to everything. When transferring to iPad or mobile, I can download the apps and then it instinctively knows who I am. A seamless integration.
Great blog post. Thanks!
There is teddyid.com that can handle both email and phone number as authorization login.
Actually, it takes password management and entering into different wesites to the next level: you only need your login and your phone to securely log in almost everywhere. Very handy.
Excellent post, great stuff to think about. I just recently had to develop a login form, and it is funny how complex a simple thing like this can be. I really like the concept of What Would God Design, and getting as close to that as possible.
This is brilliant, and can be applied to different aspects of a site!!
Agreed, I will see that we fix that.
Opinions vary, if the field is really simple it can be OK, but I agree that having the help text disappear when you type in the field is kind of a worst case scenario. As you type is when you need the help the mostâŚ
Agreed we need to do this as well.
Another great idea. Will look into this.
Doesnât matter, if they forget their password to any of those, and they will⌠guess how they recover the password? Email is the bedrock of social Internet, nobody will ever kill it.
Repeating the password is user hostile at this point, will reduce sign ups, and just isnât that effective. Better to have simple fast password recovery. Most sites are moving away from this âmust repeat password twiceâ design and I agree with that.
Also @darrenpmeyer and others, this idea that an attacker can now mine your login form for emails is kind of an illusion; you could do the very same thing with the signup form, where you must tell the user if that email exists or not⌠That said, if you want this feature it can be turned on in the site settings in Discourse.
Basically youâre advocating case-insensitive passwords. No need to detect caps lock for that, just toUpper the string 
No, I donât. Your suggestion costs n bits of entropy, where n is the length of userâs password.
I suggest to sacrifice 1 bit of entropy. Itâs quite different.
1 Like
I wonder if the shift behavior you mention is common place.
For uncommon behavior users, such as you or me (I have caps lock disabled), my suggestion sacrifices 1 bit of entropy and nothing else, so I donât see much downside.
It would be great if SQRL had some serious backing - it has the potential to be a great alternative to the whole username/password plague. Itâs something we desperately need!!
The whole way through this article I was thinking: all of this would be irrelevant if we could just all use SQRL. If your reading this and you follow the link please donât let the website scare you off. Itâs hideous yes, but the ideas involved legitimately solve the problem of passwords on the web.
roblockyer is right that Gibsonâs website describing SQRL is lacking aesthetic appeal. http://sqrl.pl/blog/ provides a quality explanation of the technology with a much better eye for page design.
I watched the Last Lecture multiple times, and I have no doubt the man was probably one of the best CS instructors in existence. However, I fail to see how this âWhat would God do?â (WWGD?) conceit helps at all.
Take your example of sorting. God would just perform a bogosort, with the twist that his first try works every time. How does that help me? Does it mean I should start with bogosort in analyzing a sorting problem? I sure hope not.
The answer is it doesnât help me at all. Iâm right back where I started. Not having omniscience and omnipotence, I actually have to work at the problem.
Sure you should always have the goal to make things as simple as possible for both the user and the code. If thatâs what you are trying to say, why not go straight to that? Iâm just not seeing where dragging in an entity that doesnât have the same problems I have (or in fact any problems) clears things up in the slightest.
A few thoughts:
-
Was there some discussion about (not) having a âremember meâ checkbox?
-
In terms of allowing a user to change their e-mail, that probably means you have an internal account ID which is not their e-mail address. Theoretically thatâs an implementation detail and not UX, but itâs one that makes the UX work reliably so worth mention. Thereâs also the question of what happens if you lose access to an e-mail address and need to get back in to the account.
-
In the end, because of what I think was some maintenance going on on this site that I had the bad luck to hit, it took me a couple hours to sign up and post this. Which makes me think of a a higher level issue - isnât the âGod algorithmâ for a public forum one that makes sure a user can post a comment and it wonât get lost? Ideally, Iâd be able to post my comment first and then worry about logging in, signing up, etc. - by the time Iâve gotten the confirmation e-mail, etc. Iâve opened a few other browser tabs and possibly gone on to do other things altogether. (Maybe this is a way to ensure quality but then again the trolls may me more likely than anyone to come back.) For example, ask me for my comment and an e-mail address (with the usual âe-mail will not be publicâ thing) then when I post, let me know that youâve save my comment but since Iâm not logged in, youâve sent me an e-mail with instructions to create an account which I need to do before my post will show up. Or something like that.
Very informative, we are in the beta phase of our web application and we are doing analytics using some of the information provided here. Canât wait to see the result!
@robertlagrant He is not advocating pass phrase case insensitivity, he is saying you should accept the EXACT opposite case of the âcorrectâ pass phrase as valid. Example: if the âcorrectâ pass phrase is âthisisapaSSphraseâ, then you would also accept âTHISISAPAssPHRASEâ as well, but you would NOT accept âTHISisapassphraseâ. The end result is that exactly 2 pass phrases are valid, instead of exactly 1. That does not significantly harm the security, unless I am mistaken.
I am pretty sure this is how Facebook does it.
1 Like
If I logged into every website with Google, and the access to Google was compromised - bum, all my accounts would be compromised too.
So, the more places you use your Google account to log in, the more danger is there for that Google account to be compromised.
In other words, maximum security is needed if using a single account to login in multiple places - e.g. at least two-factor authentication or yubikey or whatever.
I prefer using password managers and a unique password for every single website. Plus two-factor where possible. This way, even if my passwords storage account is compromised (e.g. Roboform Everywhere, LastPass etc), no access is gained to all my accounts. The accounts that, similar to the-Google-case, use a single website to log in, but in some other sense this time.
CodingHorror, Iâd add that one should test their login screen with all popular passwords manager tools as well.
1 Like