

In A Perfect World, This Is How Web Sites Would Handle Login Forms - wauter
http://www.woutersmet.com/2014/03/20/in-a-perfect-world-this-is-how-web-sites-would-handle-login-forms/

======
facorreia
Whatever you do, DON'T follow this advice. It's utterly wrong.

Here's the professional way to do this:

"An application should respond with a generic error message regardless of
whether the user ID or password was incorrect. It should also give no
indication to the status of an existing account."

[https://www.owasp.org/index.php/Authentication_Cheat_Sheet](https://www.owasp.org/index.php/Authentication_Cheat_Sheet)

~~~
onion2k
Bare in mind that particular advice is from a group expressly interested in
security. The article is talking about usability. There is often a balance to
be struck.

~~~
leigh_t
There is a balance, and it swings heavily in the direction of never ever ever
compromising security.

~~~
onion2k
Your reply made me smile. You're quite right, but only up to a point. An
emphasis on security that compromises usability can backfire and start to make
things _less_ secure.

For example, enforcing a 32 character passphrase with at least 1 non-
alphanumeric character would be incredibly secure, but users will start
writing down their password on post-its near their terminals, and suddenly all
that 'security' evaporates because you've introduced an artificial weak link.

In a small way better usability enhances security by making the user less
likely to get things wrong.

~~~
firephreek
Compromising the lock is different than choosing the type of lock.

------
vxxzy
This is a terrible idea. At this rate, you're just handing out your data! It
is a matter of practicality and security. When someone enters a username and
password, you do not know who may be on the other end. Telling them that the
username is correct but the password is wrong puts an attacker one step closer
to gaining access.

~~~
azurelogic
Came to the comments to say this. Glad to see I'm not the only one thinking
it.

------
onion2k
In my perfect world signing up to a service would only need my email address.
I'd enter it and the service would email me a link. Clicking that link would
log me in. No password necessary. My log in credentials would be available
everywhere my email is available (which is everywhere), and if I accidentally
delete the email then just filling in the "sign up" box with the same email
address would email me a new one.

The downside is that if my email account is compromised then my account with
the service is also compromised, but if that's the case then most 'forgotten
password' systems would be equally broken.

------
cessor
This is, as everybody noticed - HORRIBLE advice. Imagine this: You mind your
own business on - let's say a man-to-man datings site. You don't appear to
have a problem with homosexuality, but MAYBE your wife or your employer does.
Like this, when they put in your private, personal email address and the
website basically tells them: "Yep, you got it, that guy has an accout here".
This "meta data" is quite sensitive information, if you ask me, not only from
a security point of view, but from a privacy one. Holy moly, don't follow this
advice.

------
slinkyavenger
Everyone's already covered how this is absolutely wrong, but I wanted to add
that a second query is not appropriate, either.

You'd want your query to be something like

SELECT password_hash = {password_hash} AS authenticated FROM accounts WHERE
email = {email}

That way you'd be able to tell based on your result set whether the user
exists, and if so if their password is valid. All with one query.

But, again, you shouldn't do this.

------
zck
There's a key question whether or not to do this that I haven't seen
discussed: is the fact that a given login has an account private information?
Sometimes it is, sometimes it isn't.

For example, on HN, it's trivial to find out whether a given username has an
account -- just visit
[https://news.ycombinator.com/user?id=zck](https://news.ycombinator.com/user?id=zck)
, and you'll see whether zck is a registered account.

On services like that, I don't see the harm in distinguishing "password
incorrect" errors from "no user" errors, since that _doesn 't give you private
information_.

But on private sites, or if you're logging in via email? That's a different
story.

------
aboodman
In a perfect world, you don't login at all because your device knows your
identity and there are standardized identity federation protocols that
applications and devices can participate in.

(Android already has this. Android developers: Please use AccountManager. I am
highly unlikely to create an account with you.)

I can't count the number of times I've just "oh well, nevermind" when I
couldn't remember the stupid credentials I used with some application, or
couldn't be bothered to create new ones. Not to mention the well-documented
security problems with asking users to manage passwords.

Blech I say. Blech. I'm sad that it's 2014 and this is still unsolved.

------
1p1e1
It's a good UI, however if not done right it can be potentially dangerous. As
you mention in the PS, people can abuse it in various different ways. Spam
bots can go around websites that use this practice and check email validity,
for example.

------
camelNotation
No, in a perfect world, THIS is how web sites would handle login forms:

[https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)

------
madaxe_again
In a perfect world, username enumeration is everywhere?

