a companion discussion area for blog.codinghorror.com

The God Login


I agree, and if that means loading the login form in your ajaxed website and just hiding it from view, so be it.

So many ajaxed SPAs nowadays don’t work correctly with password managers because they search the page for login forms after page load, not periodically.

So requesting and injecting the login form after pageload, may get in the way of a lot of people’s login workflows.


How do you handle international keyboards with regards to special characters or do you offer this on only alphanumeric passwords ?


Wouldn’t logging in be simpler without passwords at all?

This is how my wife uses most websites:

  • go to site
  • click lost password
  • check email for password

She rarely remembers her passwords, especially for infrequently used commerce websites. The passwords are an annoyance, and they are a definite security weak point. Most people don’t use password managers, and most people are not capable of being imaginative enough to generate a decent password per website.

For a lot of real users out there, wouldn’t it be better as just:

  • go to site
  • enter email
  • click link in email

Just send a link with a one-time / time-limited key to the one place she knows and hopefully has a strong password. This is effectively how my wife uses most websites anyways, and could we improve security by removing the fallacy that we need this password at all?

Also, this saves her time from creating a new password, going through a few more dialogs, etc. In commerce you want to remove barriers; the longer it takes to process a sale, the more sales you lose.

Maybe we just call it poor mans offline oath.


What removing the login button altogether?

As a user types their password, constantly check whether it’s accurate or not by sending requests to the server. When the user hits the right password, you automatically log them in. There are some security issues involved, but they can be dealt with.