The God Login



Howsoever long the path may be, you can always rely on Long Path Tool. Its sure to sort out your problem.


Biometrics could be used to replace the email and password?
Smartphones, tablets and notebooks come with front cameras and microphones. Even TVs are getting these.
Your appearance might change with aging, but not that much. Haircut, glasses, beard and so on can be filtered out.

Problem is: what if you become disfigured. Or looses the ability to speak…


Just noticed this today on one of my favorite sites and felt it must be shared…
[When Jeff Atwood Likes Us][1]

1 Like

I prefer just using Facebook or Google+ to login to everything. When transferring to iPad or mobile, I can download the apps and then it instinctively knows who I am. A seamless integration.

Great blog post. Thanks!


There is that can handle both email and phone number as authorization login.

Actually, it takes password management and entering into different wesites to the next level: you only need your login and your phone to securely log in almost everywhere. Very handy.


Excellent post, great stuff to think about. I just recently had to develop a login form, and it is funny how complex a simple thing like this can be. I really like the concept of What Would God Design, and getting as close to that as possible.


This is brilliant, and can be applied to different aspects of a site!!


Agreed, I will see that we fix that.

Opinions vary, if the field is really simple it can be OK, but I agree that having the help text disappear when you type in the field is kind of a worst case scenario. As you type is when you need the help the most…

Agreed we need to do this as well.

Another great idea. Will look into this.

Doesn’t matter, if they forget their password to any of those, and they will… guess how they recover the password? Email is the bedrock of social Internet, nobody will ever kill it.

Repeating the password is user hostile at this point, will reduce sign ups, and just isn’t that effective. Better to have simple fast password recovery. Most sites are moving away from this “must repeat password twice” design and I agree with that.

Also @darrenpmeyer and others, this idea that an attacker can now mine your login form for emails is kind of an illusion; you could do the very same thing with the signup form, where you must tell the user if that email exists or not… That said, if you want this feature it can be turned on in the site settings in Discourse.


Basically you’re advocating case-insensitive passwords. No need to detect caps lock for that, just toUpper the string :slight_smile:


No, I don’t. Your suggestion costs n bits of entropy, where n is the length of user’s password.
I suggest to sacrifice 1 bit of entropy. It’s quite different.

1 Like

I wonder if the shift behavior you mention is common place.
For uncommon behavior users, such as you or me (I have caps lock disabled), my suggestion sacrifices 1 bit of entropy and nothing else, so I don’t see much downside.


It would be great if SQRL had some serious backing - it has the potential to be a great alternative to the whole username/password plague. It’s something we desperately need!!


The whole way through this article I was thinking: all of this would be irrelevant if we could just all use SQRL. If your reading this and you follow the link please don’t let the website scare you off. It’s hideous yes, but the ideas involved legitimately solve the problem of passwords on the web.


roblockyer is right that Gibson’s website describing SQRL is lacking aesthetic appeal. provides a quality explanation of the technology with a much better eye for page design.


I watched the Last Lecture multiple times, and I have no doubt the man was probably one of the best CS instructors in existence. However, I fail to see how this “What would God do?” (WWGD?) conceit helps at all.

Take your example of sorting. God would just perform a bogosort, with the twist that his first try works every time. How does that help me? Does it mean I should start with bogosort in analyzing a sorting problem? I sure hope not.

The answer is it doesn’t help me at all. I’m right back where I started. Not having omniscience and omnipotence, I actually have to work at the problem.

Sure you should always have the goal to make things as simple as possible for both the user and the code. If that’s what you are trying to say, why not go straight to that? I’m just not seeing where dragging in an entity that doesn’t have the same problems I have (or in fact any problems) clears things up in the slightest.


A few thoughts:

  1. Was there some discussion about (not) having a “remember me” checkbox?

  2. In terms of allowing a user to change their e-mail, that probably means you have an internal account ID which is not their e-mail address. Theoretically that’s an implementation detail and not UX, but it’s one that makes the UX work reliably so worth mention. There’s also the question of what happens if you lose access to an e-mail address and need to get back in to the account.

  3. In the end, because of what I think was some maintenance going on on this site that I had the bad luck to hit, it took me a couple hours to sign up and post this. Which makes me think of a a higher level issue - isn’t the “God algorithm” for a public forum one that makes sure a user can post a comment and it won’t get lost? Ideally, I’d be able to post my comment first and then worry about logging in, signing up, etc. - by the time I’ve gotten the confirmation e-mail, etc. I’ve opened a few other browser tabs and possibly gone on to do other things altogether. (Maybe this is a way to ensure quality but then again the trolls may me more likely than anyone to come back.) For example, ask me for my comment and an e-mail address (with the usual “e-mail will not be public” thing) then when I post, let me know that you’ve save my comment but since I’m not logged in, you’ve sent me an e-mail with instructions to create an account which I need to do before my post will show up. Or something like that.


Very informative, we are in the beta phase of our web application and we are doing analytics using some of the information provided here. Can’t wait to see the result!


@robertlagrant He is not advocating pass phrase case insensitivity, he is saying you should accept the EXACT opposite case of the “correct” pass phrase as valid. Example: if the “correct” pass phrase is ‘thisisapaSSphrase’, then you would also accept ‘THISISAPAssPHRASE’ as well, but you would NOT accept ‘THISisapassphrase’. The end result is that exactly 2 pass phrases are valid, instead of exactly 1. That does not significantly harm the security, unless I am mistaken.

I am pretty sure this is how Facebook does it.

1 Like

If I logged into every website with Google, and the access to Google was compromised - bum, all my accounts would be compromised too.

So, the more places you use your Google account to log in, the more danger is there for that Google account to be compromised.

In other words, maximum security is needed if using a single account to login in multiple places - e.g. at least two-factor authentication or yubikey or whatever.

I prefer using password managers and a unique password for every single website. Plus two-factor where possible. This way, even if my passwords storage account is compromised (e.g. Roboform Everywhere, LastPass etc), no access is gained to all my accounts. The accounts that, similar to the-Google-case, use a single website to log in, but in some other sense this time.

CodingHorror, I’d add that one should test their login screen with all popular passwords manager tools as well.

1 Like