a companion discussion area for blog.codinghorror.com

The God Login


Perhaps, but this wouldn’t be very helpful for a mixed case password (eg. for me, capslock + shift doesn’t produce lowercase text).


“I put on my robe and wizard hat.”


OK, Jeff, how’s this for instant feedback? (I registered just so I could submit this comment):

  • Easily switching between “login” and “register” is great. But why did you delete my input? I had already typed my email address and password, thinking the “create new account” javascript trigger was a submit button. Now I’m frustrated that I had to retype it.
  • When I click the “confirm” link from email, please send me back to the thing I was trying to do. Now I have 3 codinghorror tabs open (three!) plus my email. Just so I could post one comment.


That may sound great in theory, and maybe it’s great for the Chinese market, but to that I have this that came to mind:

In the 10 years I’ve held the same email address, I’ve changed mobile numbers at least 4-5 times.
And mobile numbers get recycled. I’ve gotten many phone calls directed at the previous owner of a phone number I recently acquired.
I would never consider using a mobile phone number as identity due to how volatile they can be, at least in the western world.


i actually object to “email as username”. i hate it when sites require that, because it limits your options massively. and if someone hacks the user database of one site, they know your username, and possibly your password, on a lot of other sites.
even without that, if they know your email (and we know a lot of spammers do) they can try it at those sites.
regarding recoverymails: an email address is not the same as an email account! you need access to the latter to use the recovery mail feature.


An important feature to include is when logging into a website, there should either be a statement about the password policy or a tool-tip like thing to hover the cursor over to reveal the password requirements.

Sometimes when I’m in a rush to register on a site, I’ll use a quick variation of a common inexpensive password I keep in my head, and I’ll modify it to fit the password policy that site is enforcing. I’ll then neglect to make a note of that registration in my password manager (if I were going to use the password manager, I suppose I’d have it generate my password anyway). When returning to the site later, having forgotten my registration, I’ll try one that makes sense based on what I would have done for that site, but I’ll get incorrect password errors.

It would be really nice, even if only after a first failed password attempt, for the site to tell me, “Hey, your password is wrong. It should be 8-40 alphanumeric characters, no hyphens or any other silliness.” So that I’m not trying otherwise strong passwords that don’t make any sense for that site.

Furthermore, when a site states a password policy while registering, it should darn well enforce the policy it states. It frustrating when it says certain characters are (dis)allowed and then proceeds to enforce some other hidden policy.

Edit: P.S. Also, please please don’t truncate my password and then not tell me about it! It’s ever so much fun when my password is shortened at registration by the form’s character limit and then a different (longer) limit is encountered on the log in page and suddenly I don’t have the correct password anymore :pensive:


If using the email address as username, be sure to include a way to change that email address. My Steam account still forces me to use my @yahoo.com address. :sob: At least a few years ago they allowed you to change your real address where email goes to.


There’s nothing to stop the “create new account” screen from allowing you to enter an email address that’s already on record, then instead of sending a “welcome to this site!” email, it will send a “zomg, somebody might be phishing for your account - or maybe you just forgot you already had an account here” email. Only the owner of the email account will be aware of the state of the system, and the attacker is none the wiser either way.


Same thing for me, except a @hotmail address. :scream:


If the e-mail matches an e-mail in the database then why offer the register option at all? If the e-mail doesn’t match then why offer the sign in option? If you are storing the session anyways you can get the ID once you know the e-mail is correct and then it will be really quick to test the password. You could show both sign-in/register at first, but as soon as the e-mail/username is filled in, there is no reason to show one or the other. That way, if the user put in the wrong e-mail they have immediate feed back.


As a Web Developer, I thought about this issue and realized that cannot be a “One Login Method to Rule Then All” because if that login method gets hacked for one type of site, then every site that uses that specific tool is also hacked. So, every secure site must integrate with others, but still needs to have its own specific spore on the security.


I find it a bit amusing that you show this:

And this:

… so close together. Any particular reason why Discourse’s “Sign Up” has not been renamed to “Register”?


I downloaded my UVa transcript online to confirm, and indeed:

Definitely the Pausch class, the timing and class title is consistent with his CV. I got a B! :wink:

And then check out the excitement of my last semester…


You should either fix typos in common email domains for them

No don’t do this! What happens when actual user@gmal.com wants to register? It is impossible because the site ‘corrects’ the address.

or let them know about that.

Prompting “Did you mean user@gmail.com?” is a fine approach.


Spot on. Except I don’t like the 8 character password requirement for non-financial sites.


There’s a critical corollary to the principle of using email as identity - you need to confirm it before treating the account as a full user of the site! Or you get this.


This is my biggest pet peeve also. Whatever they user has gone to the trouble to type in, remember it. Not just the username but password too please!


One of the things I’m considering doing for a new project for iOS is in fact the zero form login. You can save a custom UUID you generate into iCloud storage for an app and use that as a login ID and/or password (to send to a server), until such time as the user choses to give you more information to log in with. A user doesn’t even know if they WANT to use your service/app yet, but so many systems throw the login wall up right away… it has to be dropping out many users. Let them slowly lock down their account as it grows in importance to them.

Another thing to consider is password strength requirements - think about who you are. If you are not a bank, if I cannot spend money through your system why do you have ANY REQUIREMENTS around your password at all? Let people use a stupid password they will remember, and then really crank up that afore-mentioned rate limiting to make guessing more than three times impractical. No it is NOT OK to require they use 1Password and the like.


Troy Hunt (in Introducing the “Secure Account Management Fundamentals” course) recommends advising the user that they don’t have an account at that email address by email rather than on the web site. That avoids the information exposure; I can imagine there are people who don’t want it known that they are registered with a particular site. (Even a site like Stack Overflow, because some bosses seem to really hate the idea that their employees might be helping “the enemy” whether it’s on their own time or not.)

If you’ve got a lot of email addresses, this would be less convenient than the direct method. I’m not sure whether that’s enough of a problem to enough people to justify allowing the information exposure.

Of course you then need anti-automation defenses to avoid spamming the innocent. That might well tip the balance.


With regards to email; also ensure that users can register multiple email addresses against a single account; that way they don’t need to recall which mail they used; all work the same way. Have a primary mail address for any notifications from the site (i.e. separate to login concerns), or better yet, allow the user to add conditions around mail use (this is my primary mail for useful notifications, this is my mail for newsletters / stuff I may read if bored).