Transcript
A tumblr post saying "i really like this thing where websites will have separate “log in” & “sign up” buttons and if you click “log in” it takes you to a sign-up screen anyway so you have to click “i already have an account” and then it will ask if you want to sign in with your facebook account or with instagram or linkedin or deviantart or whatever, and if you choose “username & password” it asks if you want to put in your username or use your thumbprint, and once you put your username & password it emails you a confirmation code, and once you put in the code it says “do you want to give us your phone number for future sign-ins? do you want to sign up for facial recognition? do you want to give us your bones? give us your fucking bones?”
You must log in or # to comment.
What kind of website are those people using? 🥀
I was confused recently at a border post marked “Passport control”. I had it ready, but the guard asked for my driving licence. While I was fishing for that he breathalysed me, which came back clean so he said I could go - without having seen either my passport or driving licence.
And whoever came up with the idea of putting email on one page and password on another: You suck.
I can never get my password manager to handle that proper. WTF is even the point?Usually it’s because some chucklefuck put SSO in the requirements so now everyone has to suffer so that SSO users get their redirect before being shown a password field.
Sometimes though it’s an absolutely braindead web designer who definitely doesn’t have SSO as a requirement but has no idea what he’s doing and is just doing the mr-bean-cheating-on-a-test.gif and copying their Microsoft login form.
I came to the comments to post this exact complaint. I’m sure it’s considered more secure somehow, (maybe to prevent autofill attacks?) but at least code your fields properly so my password manager can auto detect the username field.
Also, phone number/ZIP code fields that pull up the full keyboard on mobile, instead of just the number pad. There’s no reason to show the entire keyboard, and phones have the ability to detect what kind of input the field wants… But website devs don’t bother coding their fields properly for numbers only, so the phone pulls up the full keyboard by default.
Lastly, 2FA fields that break paste. Like when it’s asking for a 6-digit TOTP code, and the field is actually broken up into two 3-digit fields instead.
in the uk post codes have letters
countries with alphanumerical postal codes exist, so unless you are 100% sure, that your service won’t be used by someone from such a country, you’d better allow alphanumerical inputs in your postal code field. Addresses in general are tricky, because they work different across the globe, for example house numbers are not a thing everywhere, hell i am not sure if streetnames are a thing everywhere.
Feels like a security issue to me. You could put in literally anyone’s email address on a site that does this and immediately know if they have an account there or not. Even if you don’t know their password, you know something new about that person.
I feel you on all these other ones too. There’s a lot of UI/UX designers out there that need to be barred from that field forever.
its because of SSO. if your company signs up for something that implements SSO then the tool will need your mail, recognizes that you‘re from company X, and forward you to yoir companys login page so ot can get an auth token
Github doesn’t use two screen login but also still works with sso.
Yes, this, but I don’t think just for organization’s login pages. The email may also lead to a google sign in (for example) or some other single sign on (SSO). The site you are on needs to know the email to decide what to show next to continue the log in process.
That said, web devs should be coding the fields correctly.
sure, the company was just used as an example for people who dont know the term SSO
Auto fill attacks is a weird way of saying password managers. You know. Those things that make it easier to use good password practices and be more secure.
I mean, there’s a reason browsers moved towards asking to autofill. Back when browsers would just do it automatically, there were malicious pages/ads that would hide fake username+password fields offscreen. So when the ad loaded, the browser would try to be helpful and would autofill the info. Then the ad would simply capture the autofilled info, and now your account is compromised.
Autofill attacks were so awful because the browser automatically did it without asking first. It was literally a zero-click drive-by attack that nabbed your info without any prompting or alerts on the user’s end. So to try and combat this, browsers moved towards requiring a prompt.
Tangentially, malicious ads then started using clipboard attacks instead. The ad would simply request your clipboard data, because there was a very good chance that it was your password. That’s why browsers stopped allowing sites to request clipboard data at all, and now it requires the user to actually push the data via a Ctrl+v instead; Anyone who has used Google Docs/Google Sheets will be able to tell you that Right Click>Paste doesn’t work, and it’s because the site isn’t allowed to request access to your system’s clipboard.
That’s all very interesting and insightful, but I don’t see how a site putting username and password entry on separate screens helps mitigate any of this, unless they’re doing something like showing ads on the page that asks for the username but not the one that asks for the password? I typically use ad blockers so I genuinely don’t know what’s standard. My gut feeling would but they don’t show ads on those pages at all. Apart from sites that have username and password boxes on the main page. But that’s still no reason to split the password from the username if both are on a dedicated page with no ads. I don’t see how it would prevent against fake password entry boxes either. Most of those sound like things the browser would ultimately need to mitigate against since any site could be compromised. Obviously sites have some role in it too.
KeePassXC lets you edit the auto-type for each individual password, so you can have it go
{USERNAME} {ENTER} {DELAY X} {PASSWORD} {ENTER}
x would be a number of milliseconds you may need for the next page to load in
Shout out to
<<Login>>
Uname:
Pword:
Or sign in with [Gargle] [Equis] [Fightbook]
Don’t have an account? [Sign up here!]
Found my spirit animal.
I believe it’s called enshittification
It’s shitty, but it’s not “enshittification”.
Doctorow’s explanation goes
Here is how platforms die: first, they are good to their users; then they abuse their users to make things better for their business customers; finally, they abuse those business customers to claw back all the value for themselves. Then, they die. I call this enshittification
What the OP describes is just obnoxious design. To be enshittification it should be a change from better UX to worse and the change should be an attempt by the site to grab some extra cash.
Twitter requiring an account to see replies to a tweet is an example–they’re trying to juice their user-count.
In all seriousness, I’m hating this latest trend where you click the “login” button (page refresh 1) and they ask if you want to use a one time code or password, and I use a password manager like a functioning adult, so I click “password” (page refresh 2, could have already been logged in by now) and THEN I get to input my password (page refresh 3) and then they’re like “y’know what, we’re gonna send you a one-time code anyway” (page refresh 4) so I have to retrieve that and finally get to login on page FIVE.
We used to be a proper Internet.
don’t forget the “install our app to make the next login faster” interstitial after you press “login”. can you really claim they don’t care about how painful their login process is when they’ve gone out of their way like that to provide you with a less painful option??
Then the chucklefucks manage to have the worst backend security imaginable and all your data gets breached in a leak anyway but they make their security look really impressive to customers so for six glorious months they created Shareholder Value and the c-suite already took their golden parachutes.
Here, take this random string my password manager made
Most grievous mistake designers make is assume the attacker will take the front door and pick the lock instead of breaking a window, walking though the hole in the fence and taking the side door or just walk though the other side, where literally the whole wall is missing.
But at least you have a padlock, a deadbolt, a high security door lock, a chain link, a nest AND a ring camera,
Fuck ring cameras, they’ve given blank access to their cameras and footage to police departments in the US, users have no option to block this.
I mean yeah, I don’t think that commenter was pro-ring cameras…
No, but I feel the need to make people aware that ring cameras are surveillance devices for cops at every opportunity.
I’m most impressed by how little Mangione was on cameras in New York. Yeah they got a bunch of pics, but like there are rin cameras EVERYWHERE. Escaping crimes is hard if the police actually care.
That’s valid, I just think most people in Lemmy would know that already.
Don’t trust any website that asks for your bones.
It’s secretly run by the rambling gambling skeletons. No one wants to play euchre anymore, so they had to take a different angle.
I once signed up and gave the website bone permissions.
When I realized my mistake I deleted my account immediately, but they got my shin bone.
I’m not afraid of some punk ass rambling gambling skeletons. I just beat an evil fucking wizard to death with a tire iron and stole his shit. I’ll cast fireball on those overactive boney bois.
- it’s a beautiful day outside.
Watch out! There is a skeleton inside of you too
that one’s on my side. I pay it in calcium.
malicious rattling begins in the distance
"i really like this thing where websites will have separate “log in” & “sign up” buttons and if you click “log in” it takes you to a sign-up screen anyway so you have to click “i already have an account
I used to wonder if I clicked the wrong thing but this is so fucking common that I just assume the website is designed by idiots who can’t use a single button for the same thing.
The PM insists that there be separate buttons labeled thusly and that they do the exact same thing
In my experience it’s been because the login app was done by a different team than this web app and this PM promised that they could save time by reusing the old code.
If the PM gets to make design decisions then that counts.
I know why it ends up this way, because the stupid people who complain the most don’t know if they have an account or not, but the workflow that has become common is the must frustrating one for users who do know what they are doing.
Do you want my facial recognition?
*Sobs in UK*
You can literally just google “driver’s license uk” and put it in and it works, according to a random reddit comment.
Not as bad as the log in button taking you to the sign up page, but my local library’s site has a “log in” button that, when you click it, brings up “log in” and “sign up” options on a CSS drop down (though I’m sure they use javascript, just because why do it the easy, safe way). You literally have to click “log in” twice to get to the log in page.
Also shout out to front end js libraries that hijack and discard familiar default page rendering behavior in favor of asserting their own arbitrary, untrustworthy, and inferior render behaviors that break completely outside of chrome browser or with any extensions running, gotta be my least favorite gender.
Like how so many sites just fuckin come to a dead stop and reload completely if you click literally anything because the developer didn’t follow React design philosophy perfectly. Thanks a million, Facebook, so cool so cool.
do you want to give us your phone number for future sign-ins?
Urgh, that’s probably the worst part.
I don’t mind mail-based 2FA. However, since I see “random sites have your phone number” as a bigger threat than “skript kiddo might hack your password”, if the 2FA must use my phone number, I’ll genuinely think if I really need an account in that site, and probably give up.
All sites should support TOTP, fuck email/sms OTPs, and especially fuck sites that think being “passwordless” but sending a code to my email is secure.
Well the bones are their money, so it makes sense.
You’re not actually giving the website access to your fingerprint or other biometric information by doing that. That’s all handled on your device which then sends a verification message.
Yup.
Using fingerprint/face recognition to access your device is questionable depending on your concern level, since the thing being accessed is right next to the thing that gives you access.
Having that same device know how to recognize those same features so it can use them to access a local system that is used to unlock something far away very securely is unquestionably good. An attacker is very unlikely to have both your phone and your thumb while trying to access your bank account.And if they do have access to both, you’ve probably got bigger problems at the moment
Ah, yes. The crowbar attack vector. https://xkcd.com/538/
