My biggest gripe with login forms...
-
(Besides them not remembering my login info) is that when I input the wrong information, be it username/email/password, it rarely tells me which one is wrong. I might not visit a service for a while so I'm not sure what I made my username or what my password is, but I have a better idea if you could tell me exactly which one was wrong. Why do I have to keep on guessing which one is the correct item and which one is wrong?
Yes, I'm aware that there are utilities like 1password to help this out, but why have we go so long by saying that "your username/password is incorrect" without providing a bit more information? -
In my experience that is for security, if a 'hacker' knows what is wrong then they can brute-force into an account.
It is annoying I do agree, one thing i hate is the remember me button.
-
Doesn't Drawar behave exactly like the way you said you hate? (Thus the hiccup and my bothering to you about Drawar registration on Twitter)
-
If only I coded up the signup and registration for these forums. That is out of my hand, but definitely annoying.
-
Wow I've never even thought about this. Thinking about it I have come across a few that will say, "The email address you've entered does not exist on our file" and completely skips through even bothering to tell me the password is wrong because of it. Then I will come across some sites where I've entered my account multiple times (like vBulletin) only to realize I had a different username, by then I've already used my 5 login attempts and have to try again in 20 minutes. Le fuuuuuuuuu.
I'm glad you mentioned it though, I will keep it in mind! -
DanielWhyte hit the nail on the head. It doesn't tell you which one is wrong for added security. Wordpress had this issue using the default "admin" user for so long. Hackers knew that by default there was typically an "Admin" user and Wordpress would tell you that the Password was wrong if you tried to use the "Admin" login. This told hackers, there was indeed an Admin user on that system, and they could proceed to using Rainbow tables to brute force the password.
If the rest of the system is sufficiently secure, it's probably not necessary, but given the widespread use of open-source software it's probably a minor inconvenience vs. the hassle of having a site hacked. -
but given the widespread use of open-source software it's probably a minor inconvenience vs. the hassle of having a site hacked
Wouldn't closed source be just as vulnerable to rainbow tables as open-source software? -
Yep. As long as you display what is missing ("wrong password") a hacker will know the username is right. This brings the variables down, and brute force will actually work within a lifetime.
