Why are the username and password on two different pages?

[cabaalis]

I'd like to know HN opinion on using the first form to pull in and display a pre-selected identification image or statement. Basically to show the user something associated with their account that a phishing site would not have access to, before they've typed in their password. I've seen banks do this and am starting to see it in healthcare.

[kstrauser]

They're awful. If you go to a phishing site and don't see the image, and you're in the 99% of users, you're not going to say, "oh no, this must be a phishing site!" If you notice at all, you're going to think "they finally got ride of that stupid penguin picture".

Did you ride the bus today? Did you notice whether they removed one of the ads you saw yesterday? Yeah, neither did I.

[chrismorgan]

Exactly. This is why EV certificates are a waste of time, too. People notice the presence of things, but they don’t notice their absence.

[maxxxxx]

I usually forget that image anyway and I think that most people will have no clue what to do if the picture is right or wrong. I bet they will go ahead anyway.

[ceejayoz]

> I've seen banks do this and am starting to see it in healthcare.

These are pretty good signs it's at best useless and at worst harmful.

[Consultant32452]

A script can easily query your bank website and show you the same image.

[wool_gather]

Yep, or even simpler, just show a generic "broken image" image, that most folks would probably brush off as "stupid computers never work right anyways".

[plibither8]

And for the statement, a "Loading..." should be sufficient, since most folk don't have the patience to wait for the statement to "load" and verify it.