Jump to content
  • 0

Your fancy website login completely breaks when using a password manager.

Oem42

Asked by Oem42,

Idea

Oem42

Oem42 0

Posted
Posted

Why instead of just showing the fields for username and password do you hide the password field until the username is filled and you have to press continue.   I use lastpass and I have to make it fill the fields twice because it cant autofill the password field on the first go. Really annoying for what looks like an aesthetic decision. 

 

 

Link to comment

4 replies to this idea

Recommended Posts

  • 0
  • Level 5
PinkElephant

PinkElephant 8,117

Posted
  • Level 5
Posted

The 2-step-approach is probably used because of a new hacking strategy called „spraying“: Instead of brute-forcing one account, many accounts are tried with a combination of user & PW. Because a lot of users use weak passwords and the same few mail services, it seems to work. And it is harder to detect than brute forcing the same account over and over.

By expecting a valid user before unmasking the password field, this will not work. The robot that is used to fill the fields needs to wait for the web site to unmask the second field. The little wait breaks trying many accounts in a short time.

This is AFAIK done for security, not aesthetic.

  • Like 1
Link to comment
  • 0
Magnus Westin

Magnus Westin 23

Posted
Posted

I guess that could be the reason, but they can just as easily accept both username password and just delay the login with the same amount. Also if they accept both and just gives a generic error, then the "bad actor" dont know if it was the username or password that failed.

Link to comment
  • 0
bishopblaize

bishopblaize 66

Posted
Posted
6 hours ago, PinkElephant said:

The 2-step-approach is probably used because of a new hacking strategy called „spraying“: Instead of brute-forcing one account, many accounts are tried with a combination of user & PW. Because a lot of users use weak passwords and the same few mail services, it seems to work. And it is harder to detect than brute forcing the same account over and over.

By expecting a valid user before unmasking the password field, this will not work. The robot that is used to fill the fields needs to wait for the web site to unmask the second field. The little wait breaks trying many accounts in a short time.

This is AFAIK done for security, not aesthetic.

Google and Microsoft's online services both play nicely though. If you use a password manager to autofill your login details to either of them, it won't let you reach the password field without a valid username, but once you reach the password field, its already filled in.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Idea Listing
×
×
  • Create New...