The God Login

1/26/2015
TheGodLogin
CODING HORROR
programming and human factors
RESOURCES
About Me
@codinghorror
discourse.org
stackexchange.com
Recommended
Reading
Subscribe in a
reader
Subscribe via email
Coding Horror has been
continuously published
since 2004
09 Jan 2015
The God Login

I graduated with a Computer Science minor from the
University of Virginia in 1992. The reason it's a minor
and not a major is because to major in CS at UVa you
had to go through the Engineering School, and I was
absolutely not cut out for that kind of hardcore math
and physics, to put it mildly. The beauty of a minor
was that I could cherry pick all the cool CS classes
and skip everything else.
One of my favorite classes, the one I remember the
Traffic Stats
Copyright Jeff Atwood
2015
most, was Algorithms. I always told people my

Algorithms class was the one part of my college
education that influenced me most as a programmer.
Logo image 1993 Steven
I wasn't sure exactly why, but a few years ago I had a
C. McConnell
hunch so I looked up a certain CV and realized that
Proudly published with

Ghost
Randy Pausch yes, the Last Lecture Randy Pausch

taught that class. The timing is perfect: University of
Virginia, Fall 1991, CS461 Analysis of Algorithms, 50
students.
I was one of them.
http://blog.codinghorror.com/thegodlogin/
1/35
1/26/2015
TheGodLogin
No wonder I was so impressed. Pausch was an

incredible, charismatic teacher, a testament to the
old adage that your should choose your teacher first
and the class material second, if you bother to at all.
It's so true.
In this case, the combination of great teacher and
great topic was extra potent, as algorithms are
central to what programmers do. Not that we invent
new algorithms, but we need to understand the code
that's out there, grok why it tends to be fast or slow
due to the tradeoffs chosen, and choose the correct
algorithms for what we're doing. That's essential.
And one of the coolest things Mr. Pausch ever taught
me was to ask this question:
What's the God algorithm for this?
Well, when sorting a list, obviously God wouldn't
bother with a stupid Bubble Sort or Quick Sort or
Shell Sort like us mere mortals, God would just
immediately place the items in the correct order.
Bam. One step. The ultimate lower bound on
computation, O(1). Not just fixed time, either, but
literally one instantaneous step, because you're
freakin' God.
2/35
1/26/2015
TheGodLogin
This kind of blew my mind at the time.

I always suspected that programmers became
programmers because they got to play God with the
little universe boxes on their desks. Randy Pausch
took that conceit and turned it into a really useful
way of setting boundaries and asking yourself hard
questions about what you're doing and why.
So when we set out to build a login dialog for
Discourse, I went back to what I learned in my
Algorithms class and asked myself:
How would God build this login dialog?
And the answer is, of course, God wouldn't bother
to build a login dialog at all. Every user would
already be logged into GodApp the second they
loaded the page because God knows who they are.
Authoritatively, even.
This is obviously impossible for us, because God isn't
one of our investors.
3/35
1/26/2015
TheGodLogin
But.. how close can we get to the perfect godlike login

experience in Discourse? That's a noble and worthy
goal.
Wasn't it Bill Gates who once asked why the hell

every programmer was writing the same File Open
dialogs over and over? It sure feels that way for login
dialogs. I've been saying for a long time that the best
login is no login at all and I'm a staunch supporter of
logging in with your Internet Driver's license
whenever possible. So we absolutely support that, if
you've configured it.
But today I want to focus on the core, basic login

experience: user and password. That's the default
until you configure up the other methods of login.
A login form with two fields, two buttons, and a link
on it seems simple, right? Bog standard. It is, until
you consider all the ways the simple act of logging in
with those two fields can go wrong for the user. Let's
think.
4/35
1/26/2015
TheGodLogin
Let the user enter an email

to log in
The critical fault of OpenID, as much as I liked it as an
early login solution, was its assumption that users
could accept an URL as their "identity". This is flat out
crazy, and in the long run this central flawed
assumption in OpenID broke it as a future standard.
User identity is always email, plain and simple.
What happens when you forget your password? You
get an email, right? Thus, email is your identity. Some
people even propose using email as the only login
method.
It's fine to have a username, of course, but always let

users log in with either their username or their email
address. Because I can tell you with 100% certainty
that when those users forget their password, and
they will, all the time, they'll need that email anyway
to get a password reset. Email and password are
strongly related concepts and they belong together.
Always!
(And a fie upon services that don't allow me to use
my email as a username or login. I'm looking at you,
Comixology.)
Tell the user when their

5/35
1/26/2015
TheGodLogin
email doesn't exist

OK, so we know that email is de-facto identity for
most people, and this is a logical and necessary state
of affairs. But which of my 10 email addresses did I
use to log into your site?
This was the source of a long discussion at Discourse
about whether it made sense to reveal to the user,
when they enter an email address in the "forgot
password" form, whether we have that email address
on file. On many websites, here's the sort of message
you'll see after entering an email address in the
forgot password form:
If an account matches name@example.com, you
should receive an email with instructions on how
to reset your password shortly.
Note the coy "if" there, which is a hedge against all
the security implications of revealing whether a given
email address exists on the site just by typing it into
the forgot password form.
We're deadly serious about picking safe defaults for
Discourse, so out of the box you won't get exploited
or abused or overrun with spammers. But after
experiencing the real world "which email did we use
here again?" login state on dozens of Discourse
instances ourselves, we realized that, in this specific
case, being user friendly is way more important than
being secure.
6/35
1/26/2015
TheGodLogin
The new default is to let people know when they've

entered an email we don't recognize in the forgot
password form. This will save their sanity, and yours.
You can turn on the extra security of being coy about
this, if you need it, via a site setting.
Let the user switch between

Log In and Sign Up any time
Many websites have started to show login and signup
buttons side by side. This perplexed me; aren't the
acts of logging in and signing up very different
things?
Well, from the user's perspective, they don't appear
to be. This Verge login dialog illustrates just how
close the sign up and log in forms really are. Check
out this animated GIF of it in action.
7/35
1/26/2015
TheGodLogin
We've acknowledged that similarity by having either

form accessible at any time from the two buttons at
the bottom of the form, as a toggle:
And both can be kicked off directly from any page via
the Sign Up and Log In buttons at the top right:
8/35
1/26/2015
TheGodLogin
Pick common words

That's the problem with language, we have so many
words for these concepts:
Sign In
Log In
Sign Up
Register
Join <site>
Create Account
Get Started
Subscribe
Which are the "right" ones? User research data isn't
conclusive.
I tend to favor the shorter versions when possible,
mostly because I'm a fan of the whole brevity thing,
but there are valid cases to be made for each
depending on the circumstances and user
preferences.
9/35
1/26/2015
TheGodLogin
Sign In may be slightly more common, though Log In

has some nautical and historical computing basis
that makes it worthy:
A couple of years ago I did a survey of top
websites in the US and UK and whether they
used sign in, log in, login, log on, or some
other variant. The answer at the time seemed to
be that if you combined log in and login, it
exceeded sign in, but not by much. Ive also
noticed that the trend toward sign in is
increasing, especially with the most popular
services. Facebook seems to be a log in holdout.
Work with browser

password managers
Every login dialog you create should be tested to
work with the default password managers in
Internet Explorer
Chrome
Firefox
Safari
10/35
1/26/2015
TheGodLogin
At an absolute minimum. Upon subsequent logins in

that browser, you should see the username and
password automatically autofilled.
Users rely on these default password managers built

into the browsers they use, and any proper modern
login form should respect that, and be designed
sensibly, e.g. the password field should have
type="password" in the HTML and a name that's
readily identifable as a password entry field.

There's also LastPass and so forth, but I generally
assume if the login dialog works with the built in
browser password managers, it will work with third
party utilities, too.
Handle common user

mistakes
Oops, the user is typing their password with caps
lock on? You should let them know about that.
11/35
1/26/2015
TheGodLogin
Oops, the user entered their email as

name@gmal.com instead of name@gmail.com? Or
name@hotmail.cm instead of name@hotmail.com?
You should either fix typos in common email
domains for them, or let them know about that.
(I'm also a big fan of native browser "reveal
password" support for the password field, so the
user can verify that she typed in or autofilled the
password she expects. Only Internet Explorer and I
think Safari offer this, but all browsers should.)
Help users choose better

passwords
There are many schools of thought on forcing
helping users choose passwords that aren't
unspeakably awful, e.g. password123 and iloveyou
and so on.
There's the common password strength meter, which
updates in real time as you type in the password
field.
12/35
1/26/2015
TheGodLogin
It's clever idea, but it gets awful preachy for my tastes

on some sites. The implementation also leaves a lot
to be desired, as it's left up to the whims of the site
owner to decide what password strength means. One
site's "good" is another site's "get outta here with
that Fisher-Price toy password". It's frustrating.
So, with Discourse, rather than all that, I decided we'd
default on a solid absolute minimum password
length of 8 characters, and then verify the password
to make sure it is not one of the 10,000 most
common known passwords by checking its hash.
13/35
1/26/2015
TheGodLogin
Don't forget the keyboard

I feel like keyboard users are a dying breed at this
point, but for those of us that, when presented with a
login dialog, like to rapidly type
name@example.com , tab , p4$$w0rd , enter
please verify that this works as it should. Tab

order, enter to submit, etcetera.
Rate limit all the things

You should be rate limiting everything users can do,
everywhere, and that's especially true of the login
dialog.
If someone forgets their password and makes 3
attempts to log in, or issues 3 forgot password
requests, that's probably OK. But if someone makes
a thousand attempts to log in, or issues a thousand
14/35
1/26/2015
TheGodLogin
forgot password requests, that's a little weird. Why, I

might even venture to guess they're possibly not
human.
You can do fancy stuff like temporarily disable

accounts or start showing a CAPTCHA if there are too
many failed login attempts, but this can easily
become a griefing vector, so be careful.
I think a nice middle ground is to insert standard
pauses of moderately increasing size after repeated
sequential failures or repeated sequential forgot
password requests from the same IP address. So
that's what we do.
Stu
I forgot
I tried to remember everything we went through

when we were building our ideal login dialog for
Discourse, but I'm sure I forgot something, or could
have been more thorough. Remember, Discourse is
100% open source and by definition a work in
progress so as my friend Miguel de Icaza likes to
say, when it breaks, you get to keep both halves. Feel
free to test out our implementation and give us your
feedback in the comments, or point to other
examples of great login experiences, or cite other
helpful advice.
Logging in involves a simple form with two fields, a
link, and two buttons. And yet, after reading all this,
15/35
1/26/2015
TheGodLogin
I'm sure you'll agree that it's deceptively complex.

Your best course of action is not to build a login
dialog at all, but instead rely on authentication from
an outside source whenever you can.
Like, say, God.
Written by Je
Atwood
Indoor enthusiast. Co-founder of Stack Exchange and

Discourse. Disclaimer: I have no idea what I'm talking
about. Find me here: http://twitter.com/codinghorror
ContinueDiscussion79replies
9Jan
Mad
Overlord
Onesubtletweak...theSignInandNewAccountbuttons
shouldhavesomespacebetweenthem,toreducethechanceof
amisclick.Andthe"expected"actionshouldbetheone
directlybelowthename/passwordfields.
9Jan
kram
1032
Ifinditkindofweirdthatthe"Login"buttonlooksdifferentin
differentplaces:
Once,it'sanopenlock,andonceaperson.Isthereany
particularreasonforthat?
9Jan
kersti
16/35
1/26/2015
kersti
TheGodLogin
Allverygoodpoints,anditleadstoadiscussionabout
passwordsingeneral.Pethateofmineiswebsitesthatdon't
allowanythingotherthanalphanumericcharacters,tomymind
thesiteitselfisnotsecurewhentheywon'tletmeuse!inthe
middleofmypasswordstring.
Haverecentlyhadtogiveupanaccountbecausethesite
decidedthatafewfailedloginattempts(thankstoa2yearold)
wasasecurityrisk,sotheychangedmypasswordforme(gee
thanks).Theywon'tshowmealloftheemailaddressalthough
fromwhattheydidshowmeIcouldfigureoutwhichoneit
wasandtheirforgotpasswordemailneverarrives(apparently
acommonproblemwiththisverylargesite).Naturallyof
coursethereisnowaytocontactanyonethereeither.
AndinasiteIrunIoftengetpeopletryingtobereunitedwith
accountswheretheyhavenomatchinginformation,yetthey
claimthattheyaretheownerbuttheyusedfalseinfofor
privacyreasonsifallI'vegottogoonisanemailaddress,
firstnameandbirthdateandyou'vechangedthosethenI'mnot
givingyouthisoldaccount!I'msettingupapageofsecurity
questionstohopefullytacklethatinthefuture.
9Jan
marioawad
Iyoudon'trespectthe{USERNAME}{TAB}{PASSWORD}
{ENTER}sequenceonyourloginform,meandmyfriend
KeePasswillbeconstantlylookingforanotheralternative
website.Thatandalsomakingsurethetitleofyourloginpage
includesyourwebsite'snameandnotonlyageneric"LogIn"
title.
1reply
9Jan
pnuk
codinghorror:
Thus,emailisyouridentity.
Unlessit'syourmobilephonenumber:ChineseMobileAppUI
Trends
1reply
17/35
1/26/2015
TheGodLogin
9Janmarioawad
Pommes
Maybethesepluginscanhelpyouwiththe"login"titles:
http://keepass.info/plugins.html#urlintitle
ThesepluginsshowtheURLofthewebsiteinthetitlebar.
1reply
9Jan
Papuass_
Abitofftopic,butthishastobecutestloginformfromall.Try
enteringpassword:
https://dash.readme.io/login
1reply
9JanPommes
marioawad
Thisisawesome.Thankyou.I'llkeepthoseinmindforthe
futureascurrentlyIhavenowebsiteswiththisproblemasI
justleavethembehindhehe.AndIhavemorethan400entries
inKeePass
9Jan
Denis
Sokolov
Considernotgivingtheuserabigandscarwarningaboutcaps
lock,butinsteadcheckhispasswordagainstacaseinverted
versionofitself.
2replies
9Jan
stefan
19
18/35
1/26/2015
TheGodLogin
stefan
19
HaveyouthoughtaboutsupportingSQRLinthefuture?Login
withoutusername,passwordoremail.Veryclosetotheway
godwouldhavedesignedit.
1reply
9JanDenisSokolov
erikheemskerk
SeemslikeabadideaalotofpeopleuseCapsLockasan
'easierway'totypelotsofcharactersincapitals.Andtheymay
notuseitconsistently.Whentheydidn'tuseitwhensigningup
orchangingtheirpasswordbuttheyareusingitnow,youwill
getamismatchandyou'llbepunishingthemfornotbeing
consistent.Thatwouldbebadform.
1reply
9Jan
jaginsberg
Alotofusersendupbeingbehindthesameproxyexitservers,
andthushavingthesamesmallpoolofIPaddressesbackin
theday,AOLwasthebiggestoffenderhere.Becarefulthat
ratelimitingbadloginsbyincomingIPaddressdoesn'tmake
lifehelloratleastveryconfusingfortheseusers.Perhaps
makeitbasedonthecombinationofemailaddressPLUSIP
address.
9Jan
jgustie
Anotheronethatdrivesmenutsistheautocapsofthefirst
letterinatextinputappliedbyMobileSafari:givingthe
browseranindicationthatthefieldisanemailorusernameisa
must.
1reply
9Jan
19/35
1/26/2015
TheGodLogin
frank
9
Ok,IguessIamFrank9here.yuck...Anyways...Ilikedthis
postJeff.IamgoingtorefertothiswhenIrevisemylogin
systemtomyCMStool.Iamdealingwithanincremental
rewritewithadesignerinafewweeksanditdefinitelyshort
circuitswhatsimportantandwhatisbetterthanacceptable(I
usuallydon'thavetheluxurytothinkaboutthisstufftheway
youguysdid).Soyoutaughtmesomethingusefultoday...I
can'twaittoseewhatelseisupyoursleevesonfutureprojects.
IhavecometotheconclusionthatyouandSamandthe
Troutfish,maketheinternetabetterplace.OptimalTiptoTip
Efficiencieshere.(secondtolastsentenceisahonestsentiment
andthewordingcameoutfunny,andthelastone...wellyouget
thejoke(segway)
9Janerikheemskerk
Denis
Sokolov
Theideaistoacceptbothversionsofapasswordalways,
effectivelytrading1bitofpasswordsecurityforalotofuser
convenience.
9Jan
sa
12
FirsttimetryingDiscourse.Looksnice..
9Jan
digplan
Regardingyouremailisyouridentity..Ithink,you'reidentity
isyouridentity.EmailTwitterFacebookthesearebest
considerednotidentitiesbutmeansofverifyingyouridentity.
Soyour"identitlyrecord"inasystemisrelatedtoeachof
those,butnotoneofthosedefinesit.ForalongtimeIthought
usingemailaddressasyourdefactoidentifierasaloginname
madegoodsense.
I'manolderguy(w/ateenagedaughter),anditsstrikingtothe
20/35
1/26/2015
TheGodLogin
I'manolderguy(w/ateenagedaughter),anditsstrikingtothe
extentemailisbecomingmuchlessrelevanttotheyounger
generation.TheywillinevitablyhaveallofTwitter,Tumbler,
Emailaddress,andmobilephonenumber,butkeyinginonone
astheGod"identifier"ifyouwillfeelsalittleoff.
Theboxwithloginw/Twitter,Facebook,etc..seemstheright
solutionforthepresent,butstillfeelsnotquiteright,atleast
nottotallyelegant.Auniversalstandardforinternet
identificationofcoursewouldconsolidateandsimplifythings,
butnotjusttheadoptionbysomanyproviders,butthe
concernsaboutprivacyandtrackingetc..wouldseemdifficult
toevengetofftheground.
9Jan
gmanjapan
Onethingthat'salwaysbuggedmeisforms,liketheDiscourse
one,thateffectivelyhaveloginandregisteronthesameform
butifIputmyname/passinoneformdon'tcarrythemtothe
other.
Inotherwords,Iseeboth"login"and"createnewaccount"at
thebottom.Itypemyusernameandpasswordandclick"create
newaccount"expectingittocreateanewaccountwiththe
nameandpasswordIjusttyped.InsteaditsaysHahafortyping
yourname/passandclicking"createnewaccount".InsteadI'm
goingtodiscardwhatyoujusttypedandmakeyoutypeit
againbecausethatmisleadingbuttonactuallyleadstoa
differentform.F.U!
WHY!!!!
Firstyoumisleadmebyputting2buttonsthatlooklikeactions
butoneisnottheactionitclaimsitis.It'snotgoingto"createa
newaccount"it'sgoingto"switchtothecreatenewaccount
form".
Secondyouwastetimetypeandthrowawaymywork.Thisis
especiallyinfuriatingifIhappenedtoenterthatonmobile
wheretypingissupertedious,especiallyifmypassword
followssomecrazyrules.
Itseemslikecopyingthename/passfromoneformtotheother
(ormakingthemthesameformandhide/unhidetheextra
fieldsforregistering)wouldbemorerespectfuloftheuser's
timeandslightlymitigatethefibthat"createnewaccount"
doesn'tactuallycreateanewaccount.
2replies
9Jan
21/35
1/26/2015
TheGodLogin
Bob_
Wise
codinghorror:
Ifanaccountmatches[emailprotected],you
shouldreceiveanemailwithinstructionsonhow
toresetyourpasswordshortly.
Notethecoy"if"there,whichisahedgeagainst
allthesecurityimplicationsofrevealingwhethera
givenemailaddressexistsonthesitejustby
typingitintotheforgotpasswordform.
Malicioushumansorbotscanalreadyfigureoutifanemail
addressorusernameexistsinthesystembytryingtomakea
newaccountwiththatemailaddressorusername.Idon'tthink
thereisanyadvantagetotryingtohidethatinformationhere.
1reply
9JanDenisSokolov
adregan
Perhaps,butthiswouldn'tbeveryhelpfulforamixedcase
password(eg.forme,capslock+shiftdoesn'tproduce
lowercasetext).
9Jan
MT
83
"Iputonmyrobeandwizardhat."
1reply
9Jan
ambiguator
OK,Jeff,how'sthisforinstantfeedback?(IregisteredjustsoI
couldsubmitthiscomment):
Easilyswitchingbetween"login"and"register"isgreat.
Butwhydidyoudeletemyinput?Ihadalreadytyped
22/35
1/26/2015
TheGodLogin
Butwhydidyoudeletemyinput?Ihadalreadytyped
myemailaddressandpassword,thinkingthe"createnew
account"javascripttriggerwasasubmitbutton.NowI'm
frustratedthatIhadtoretypeit.
WhenIclickthe"confirm"linkfromemail,pleasesend
mebacktothethingIwastryingtodo.NowIhave3
codinghorrortabsopen(three!)plusmyemail.JustsoI
couldpostonecomment.
9Janpnuk
Jon
Coder
Thatmaysoundgreatintheory,andmaybeit'sgreatforthe
Chinesemarket,buttothatIhavethisthatcametomind:
Inthe10yearsI'veheldthesameemailaddress,I'vechanged
mobilenumbersatleast45times.
Andmobilenumbersgetrecycled.I'vegottenmanyphone
callsdirectedatthepreviousownerofaphonenumberI
recentlyacquired.
Iwouldneverconsiderusingamobilephonenumberas
identityduetohowvolatiletheycanbe,atleastinthewestern
world.
9Jan
speising
iactuallyobjectto"emailasusername".ihateitwhensites
requirethat,becauseitlimitsyouroptionsmassively.andif
someonehackstheuserdatabaseofonesite,theyknowyour
username,andpossiblyyourpassword,onalotofothersites.
evenwithoutthat,iftheyknowyouremail(andweknowalot
ofspammersdo)theycantryitatthosesites.
regardingrecoverymails:anemailaddressisnotthesameasan
emailaccount!youneedaccesstothelattertousetherecovery
mailfeature.
9Jan
reavy
Animportantfeaturetoincludeiswhenloggingintoawebsite,
thereshouldeitherbeastatementaboutthepasswordpolicyor
atooltiplikethingtohoverthecursorovertorevealthe
23/35
1/26/2015
TheGodLogin
atooltiplikethingtohoverthecursorovertorevealthe
passwordrequirements.
SometimeswhenI'minarushtoregisteronasite,I'llusea
quickvariationofacommoninexpensivepasswordIkeepin
myhead,andI'llmodifyittofitthepasswordpolicythatsiteis
enforcing.I'llthenneglecttomakeanoteofthatregistrationin
mypasswordmanager(ifIweregoingtousethepassword
manager,IsupposeI'dhaveitgeneratemypasswordanyway).
Whenreturningtothesitelater,havingforgottenmy
registration,I'lltryonethatmakessensebasedonwhatIwould
havedoneforthatsite,butI'llgetincorrectpassworderrors.
Itwouldbereallynice,evenifonlyafterafirstfailedpassword
attempt,forthesitetotellme,"Hey,yourpasswordiswrong.
Itshouldbe840alphanumericcharacters,nohyphensorany
othersilliness."SothatI'mnottryingotherwisestrong
passwordsthatdon'tmakeanysenseforthatsite.
Furthermore,whenasitestatesapasswordpolicywhile
registering,itshoulddarnwellenforcethepolicyitstates.It
frustratingwhenitsayscertaincharactersare(dis)allowedand
thenproceedstoenforcesomeotherhiddenpolicy.
Edit:P.S.Also,pleasepleasedon'ttruncatemypasswordand
thennottellmeaboutit!It'seversomuchfunwhenmy
passwordisshortenedatregistrationbytheform'scharacter
limitandthenadifferent(longer)limitisencounteredonthe
loginpageandsuddenlyIdon'thavethecorrectpassword
anymore
2replies
9Jan
cavedog
123
Ifusingtheemailaddressasusername,besuretoincludea
waytochangethatemailaddress.MySteamaccountstill
forcesmetousemy@yahoo.comaddress. Atleastafew
yearsagotheyallowedyoutochangeyourrealaddresswhere
emailgoesto.
1reply
9JanBob_Wise
Balfa
There'snothingtostopthe"createnewaccount"screenfrom
allowingyoutoenteranemailaddressthat'salreadyonrecord,
24/35
1/26/2015
TheGodLogin
allowingyoutoenteranemailaddressthat'salreadyonrecord,
theninsteadofsendinga"welcometothissite!"email,itwill
senda"zomg,somebodymightbephishingforyouraccount
ormaybeyoujustforgotyoualreadyhadanaccounthere"
email.Onlytheowneroftheemailaccountwillbeawareof
thestateofthesystem,andtheattackerisnonethewisereither
way.
1reply
9Jancavedog123
davidzych
Samethingforme,excepta@hotmailaddress.
9Jan
jon
49
Iftheemailmatchesanemailinthedatabasethenwhyoffer
theregisteroptionatall?Iftheemaildoesn'tmatchthenwhy
offerthesigninoption?Ifyouarestoringthesession
anywaysyoucangettheIDonceyouknowtheemailis
correctandthenitwillbereallyquicktotestthepassword.
Youcouldshowbothsignin/registeratfirst,butassoonasthe
email/usernameisfilledin,thereisnoreasontoshowoneor
theother.Thatway,iftheuserputinthewrongemailthey
haveimmediatefeedback.
9Jan
louiseroho
AsaWebDeveloper,Ithoughtaboutthisissueandrealized
thatcannotbea"OneLoginMethodtoRuleThenAll"because
ifthatloginmethodgetshackedforonetypeofsite,thenevery
sitethatusesthatspecifictoolisalsohacked.So,everysecure
sitemustintegratewithothers,butstillneedstohaveitsown
specificsporeonthesecurity.
9Jan
erlend_
sh
25/35
1/26/2015
erlend_
sh
TheGodLogin
Ifinditabitamusingthatyoushowthis:
Andthis:
...soclosetogether.AnyparticularreasonwhyDiscourse's
"SignUp"hasnotbeenrenamedto"Register"?
1reply
9Jan
codinghorror
IdownloadedmyUVatranscriptonlinetoconfirm,andindeed:
Pastedimage1024x15125.3KB
DefinitelythePauschclass,thetimingandclasstitleis
consistentwithhisCV.IgotaB!
Andthencheckouttheexcitementofmylastsemester...
26/35
1/26/2015
TheGodLogin
Pastedimage911x31155.1KB
1reply
9Jan
timbojones
Youshouldeitherfixtyposincommonemail
domainsforthem
Nodon'tdothis!Whathappenswhenactualuser@gmal.com
wantstoregister?Itisimpossiblebecausethesite'corrects'the
address.
orletthemknowaboutthat.
Prompting"Didyoumeanuser@gmail.com?"isafine
approach.
9Jan
pbreit
27/35
1/26/2015
pbreit
TheGodLogin
Spoton.ExceptIdon'tlikethe8characterpassword
requirementfornonfinancialsites.
9Jan
zstewart
There'sacriticalcorollarytotheprincipleofusingemailas
identityyouneedtoconfirmitbeforetreatingtheaccountasa
fulluserofthesite!Oryougetthis.
9Jangmanjapan
Kendall
1
Thisismybiggestpetpeevealso.Whatevertheyuserhasgone
tothetroubletotypein,rememberit.Notjusttheusernamebut
passwordtooplease!
9Jan
Kendall
1
OneofthethingsI'mconsideringdoingforanewprojectfor
iOSisinfactthezeroformlogin.Youcansaveacustom
UUIDyougenerateintoiCloudstorageforanappandusethat
asaloginIDand/orpassword(tosendtoaserver),untilsuch
timeastheuserchosestogiveyoumoreinformationtologin
with.Auserdoesn'tevenknowiftheyWANTtouseyour
service/appyet,butsomanysystemsthrowtheloginwallup
rightaway...ithastobedroppingoutmanyusers.Letthem
slowlylockdowntheiraccountasitgrowsinimportanceto
them.
Anotherthingtoconsiderispasswordstrengthrequirements
thinkaboutwhoyouare.Ifyouarenotabank,ifIcannot
spendmoneythroughyoursystemwhydoyouhaveANY
REQUIREMENTSaroundyourpasswordatall?Letpeople
useastupidpasswordtheywillremember,andthenreally
crankupthataforementionedratelimitingtomakeguessing
morethanthreetimesimpractical.NoitisNOTOKtorequire
theyuse1Passwordandthelike.
1reply
28/35
1/26/2015
1reply
9Jan
TheGodLogin
Harry_
Johnston
TroyHunt(inIntroducingtheSecureAccountManagement
Fundamentalscourse)recommendsadvisingtheuserthatthey
don'thaveanaccountatthatemailaddressbyemailratherthan
onthewebsite.ThatavoidstheinformationexposureIcan
imaginetherearepeoplewhodon'twantitknownthattheyare
registeredwithaparticularsite.(EvenasitelikeStack
Overflow,becausesomebossesseemtoreallyhatetheidea
thattheiremployeesmightbehelping"theenemy"whetherit's
ontheirowntimeornot.)
Ifyou'vegotalotofemailaddresses,thiswouldbeless
convenientthanthedirectmethod.I'mnotsurewhetherthat's
enoughofaproblemtoenoughpeopletojustifyallowingthe
informationexposure.
Ofcourseyouthenneedantiautomationdefensestoavoid
spammingtheinnocent.Thatmightwelltipthebalance.
9Jan
johnlbevan
Withregardstoemailalsoensurethatuserscanregister
multipleemailaddressesagainstasingleaccountthatway
theydon'tneedtorecallwhichmailtheyusedallworkthe
sameway.Haveaprimarymailaddressforanynotifications
fromthesite(i.e.separatetologinconcerns),orbetteryet,
allowtheusertoaddconditionsaroundmailuse(thisismy
primarymailforusefulnotifications,thisismymailfor
newsletters/stuffImayreadifbored).
10Jan
michelle_
o
Pleasebeawarethatkeyboarduseisnotjustforpowerusersor
passwordmanagers.Keyboardnavigationisessentialfor
screenreadersandisstep1oftestingyoursiteforaccessibility.
10Janjgustie
29/35
1/26/2015
TheGodLogin
scunliffe
1
Ibelievethereareattributesyoucansetoninputfieldstotell
thebrowsertonotautocapitalize...loginformsshouldaddthis
totheusernamefield.
10Jan
karissamck
Youdon'thavetwoinputpasswordfieldstoverifytheuser's
passworduponsignup.Peoplemighttypeitinwrong.You
can'tbeseriouswhenyousayyouhaveagoodsingupbox,
right?
2replies
10Janstefan19
matthew_
ickstadt
IhavelittlehopeforSQRLtoeverbecomemainstream,butI
reallywantitto.
10Jan
msummerfield
Giventhechoicesyouhavealreadymade,yourlogindialog
couldbefurthersimplifiedtojusttwofieldsandone
"Login/Register"button.Ifthereisnoemailaddressmatching
theuserinput,youcanthenaskiftheywouldliketocreatea
newaccount.Ifthepassworddoesnotmatch,youcanaskif
theyhaveforgottentheirpassword,andwouldlikeareset
emailsent.
Inanyevent,youshouldneverclearthetextfields,sothatif
theuserhassimplymadeatypoitiseasytofix.
Thiswouldparticularlysuitme.IfIwanthighsecurityfora
site(thatdoesnotprovidetwofactorauthentication),Ioften
justuseareallylongrandomstringasapassword,thatevenI
donotknow,andthenusetheresetemailasmyprimaryway
toaccesstheaccount(settinganewlong,randompasswordon
30/35
1/26/2015
TheGodLogin
toaccesstheaccount(settinganewlong,randompasswordon
mywaybackin).Alwayshavingexactlythesamedialog
wouldbemyGodlogin!
1reply
10Jan
Leo_
Nel
InadditiontoGoogle,Facebook,Twitter,YahooandGithub,
anyreasonwhyMicrosoftaccountsupportisnotprovidedas
oneoftheoptions?
10JanBalfa
Hamled
Well,there'sonethingtostoppeoplefromdoingthat.Namely,
suchasolutionbasicallyrequiresaconfirmationemailissent,
received,opened,andthelinkclickeduponbeforethataccount
canactuallybeused.
Thisinitselfisamajorsourceoflostusers,andthereasonwhy
manyorganizationshavemadeemailconfirmationoptionalin
theirsignupfunnel.
Unlessyourserviceistrulyreliantuponemailintegrationfor
yourusers,you'reprobablybetterofusingacombinationof
ratelimitingandsuspiciousbehavioridentification.
10Jan
Hamled
Forgivemeifthishasalreadybeencovered,butIthinkthe
ideaofpreventingpeoplefromsigningupwithpopular
passwordsisatleastabitmoreproblematicthanitishelpful.
InitiallyIwasgoingtocomplainthatamere10,000wasted
attemptsperhashwasn'tthatmuch,butitturnsoutthatevenin
2015bcrypt,andespeciallyscrypt,holdupincrediblywell
evenwithGPUhashing.
Thatsaid,Ithinkwhatyou'relookingatisaddingatmost20
minutesperhash(assumingtheyhavetouseCPUs)ontothe
crackingtimeifyou'reusingabcryptfactorof10orscrypt
factorof13.Checkoutthisvideoforsomeinterestingstatson
31/35
1/26/2015
TheGodLogin
factorof13.Checkoutthisvideoforsomeinterestingstatson
thathttp://video.adm.ntnu.no/pres/5499318fcce2c.
Andwhatdoyoutradeforthat?Alargemajorityofyourusers,
formostsites,arethenforcedtouseapasswordthattheydon't
normallyuse.Apasswordthey'relikelytoforget.Iftheyeven
bothercontinuingtosignupaftersomestupidwebsitetold
themtheirpasswordwasdumb.Andit'snotliketheacceptable
passwordtheychooseisgoingtobemassivelybetter,it'll
probablystillbeinthetop100,000ormillionpasswords
guessedbyacompetentcrackingprogram.
Philosophically,Ithinkit'smyresponsibilitytoassumethat
everysingleoneofmyusersissounconcernedaboutsecurity
thattheyreallywillmaketheirpassword'password'(or
whateverminimumadditionstothatarerequiredtofitmy
statedrequirements).ThebestIcandoispickpasswordrelated
technologiesanddesignsthatprotectthemasmuchaspossible
intheeventofabreach.
Theuser'sresponsibility,OTOH,istoassumethatI'mso
unconcernedwiththeirsecuritythatI'llstoretheirpasswordsin
plaintext.Inthatcasethey'duseapasswordmanager,orinsist
uponastrongertechnologylikePAKEand/ortwofactorauth.
Sadlynotenoughusersassumethis,butwealsocan'tmake
them.
10JanMT83
dave_
steinberg
Iliterallyrushedtoaddthiscomment,inthehope,however
vain,thatitwouldbethefirst.Alas...
10Jan
saurabhguptatwt
Ilikethegame.Ifweextendthisoutsidethewwwdomain.
Copstopsyouandasksforyourdrivinglicense.Whatwilla
GODrequire?Hewouldn'tstopyou,justwriteyouaticketand
withdrawfinefromyourbankaccount.Soundsfreakish!
11Jan
andrekibbe
32/35
1/26/2015
TheGodLogin
Kendall1:
Ifyouarenotabank,ifIcannotspendmoney
throughyoursystemwhydoyouhaveANY
REQUIREMENTSaroundyourpasswordatall?
Becausethesamelogincredentialsarelikelytobeusedon
banksandothersensitivesitesvisitedbytheuser.Sincemost
peoplestickwithpasswordsthatareeasytoremember,they're
probablyusingthemeverywhere,sotheirsecurityprofileisa
chainasstrongasitsweakestlink.Ahackerwho'sobtained
hundredsofuserloginsisguaranteedtohaveatleastafew
dozenofthosethatarevalidforBofA.com,PlayStation.com,
etc.
1reply
11Jan
andrekibbe
gmanjapan:
Itseemslikecopyingthename/passfromoneform
totheother(ormakingthemthesameformand
hide/unhidetheextrafieldsforregistering)would
bemorerespectfuloftheuser'stimeandslightly
mitigatethefibthat"createnewaccount"doesn't
actuallycreateanewaccount.
Withmostregistrationtoolsonlytheencryptedversionofthe
passwordisstoredit'shashedbeforebeingsavedtothe
database.Sothere'snoserversideaccesstotheunencrypted
passwordtopopulatetheformwithit.That'sthesamereason
whymost"Forgotyourpassword?"linksrequireapassword
reset,regardlessofhowannoyingitistotheuser.
Ofcourse,formscouldprobablydosomeclientsidevalidation
andsimplyrejectinvalidsubmissionsupfrontsothatthe
passwordremainsinthefield.
11Janerlend_sh
andrekibbe
Idisagreewiththeratherpedanticargumentsintheleftcolumn
implyingthat"SignUp"and"SignIn"areindistinguishable.
Onthecontrary,they'revisuallyandgrammaticallyconsistent,
andsincethey'redifferentbuttonsinthesameregion,userscan
33/35
1/26/2015
TheGodLogin
andsincethey'redifferentbuttonsinthesameregion,userscan
easilyparsethatthey'redistinctlydifferentoptions.Thisis
whatTuftecallstheLeastEffectiveDifference.Youdon'tneed
toaccentuatethedifferencefurtherbyvaryingthewordingor
style.Ipersonallyfindthosesuperfluousdifferences
aestheticallyincoherentwithoutofferinganyadditional
usabilityadvantagesinreturn.
11Janreavy
roelandsch
Icameacrossalotofthosepasswordlengthlimitationsand
forbiddencharactersetc.Onewebsiteevenrequiredmetouse
anumberintheusername.
Idon'tgetwhywebsitesneedthoselimitationsinthefirst
place.Imean,theyshouldjustdoSHA2(saltySalt+"correct
horsebatterystaple")anyway.
Iwonderwhatthey'redoing.Usingtheirownbasementgrown
hash?Ormaybethey'renotsurewhichcharacterswillcause
mysql_query("INSERTINTOmy_usersVALUES('$user',
'$password')");tobreak.
1reply
12Jan
t
1oracle
Insteadoftellingusersthattheygavethewrongemailaddress
onthesite,whydon'tyoujustsendanemailtothematthat
addresstellingthemoftheerror?Thatwayhackerscan'tuse
yourformtoexposeuseraccounts.Withinthatemailyoucan
providealinktorecovertheforgettenemailaddressusing
securityquestions.
12Janroelandsch
t
1oracle
Iftheysanitizedtheirinputsthenallcharacterswouldbesafe.
Sincethey'rehashing(saltedbycrypt)anyway(orshouldbe)
thereisnoneedtoworryaboutoddcharacters.
12Jan
34/35
1/26/2015
TheGodLogin
12Jan
World
Maker
35/35

The God Login

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The God Login

Uploaded by

Copyright:

Available Formats

1/26/2015

The God Login

most, was Algorithms. I always told people my

Logo image 1993 Steven

I wasn't sure exactly why, but a few years ago I had a

hunch so I looked up a certain CV and realized that

Proudly published with

Randy Pausch yes, the Last Lecture Randy Pausch

No wonder I was so impressed. Pausch was an

This kind of blew my mind at the time.

But.. how close can we get to the perfect godlike login

Wasn't it Bill Gates who once asked why the hell

But today I want to focus on the core, basic login

Let the user enter an email

It's fine to have a username, of course, but always let

Tell the user when their

email doesn't exist

The new default is to let people know when they've

Let the user switch between

We've acknowledged that similarity by having either

Pick common words

Sign In may be slightly more common, though Log In

Work with browser

At an absolute minimum. Upon subsequent logins in

Users rely on these default password managers built

readily identifable as a password entry field.

Handle common user

Oops, the user entered their email as

Help users choose better

It's clever idea, but it gets awful preachy for my tastes

Don't forget the keyboard

please verify that this works as it should. Tab

Rate limit all the things

forgot password requests, that's a little weird. Why, I

You can do fancy stuff like temporarily disable

I tried to remember everything we went through

I'm sure you'll agree that it's deceptively complex.

Indoor enthusiast. Co-founder of Stack Exchange and

You might also like