Post by @david_chisnall@infosec.exchange

David Chisnall (*Now with 50% more sarcasm!*)

@david_chisnall@infosec.exchange · 4 hours ago

People designing web login UIs:

There is sometimes a legitimate reason to put the username and password field on different pages. If you are integrating with multiple third-party SSO providers in such a way that you need the username to decide where to send the person to log in, and you should never have access to their password, please do this. Otherwise, you are just making life harder for browser autofill for absolutely no reason and that is likely to make phishing your users easier. Stop it.

Fazal Majid

@fazalmajid@social.vivaldi.net · 2 hours ago

@david_chisnall and then you have sites that block browser autofill or copy-paste, usually by checking the timing of keystrokes or rejecting too fast entry. And my ~~favorite~~, PayPal refusing Yubikey 2FA because "you are on a mobile browser and mobile browsers don't support FIDO2 keys", even though that is the whole point of the NFC-enabled Yubikeys, even before the transition to USB-C means you can just plug the key into the USB-C port.

David Chisnall (*Now with 50% more sarcasm!*)

@david_chisnall@infosec.exchange · 2 hours ago

@fazalmajid The worst of these that I've seen is NS&I, which does everything it possibly can to thwart secure password storage, and then logs you out and makes you go through the whole log-in flow again if you have the temerity to press the back button anywhere on their site.

National Savings and Investments - Wikipedia

Fazal Majid

@fazalmajid@social.vivaldi.net · 2 hours ago

@david_chisnall Not to mention all the absurd password composition rules and rotation requirements which fall afoul of the revised NIST SP-800-63B. All security theater.

I also have a rule of thumb: if your login succeeds in less than 2 seconds, that means they are not using a strong enough password hash (or possibly not even salting and hashing passwords) and you can safely assume the site is insecure.

There is no world in which making the use of password managers harder enhances security.

kc :blobcatheart:

@kc@mastodon.dragoncave.dev · 3 hours ago

@david_chisnall my uni's SSO page switched so it asks for email and password on different pages (and there's yet a third page for the OTP code)

the flow is now horrible if you actually wanted to login into the uni Google workspace because now there's 2 pages in the flow that only ask for your email

Andrew France

@Odaeus@social.vivaldi.net · 3 hours ago

@david_chisnall this is such an annoying trend. I've seen some that support password managers. I haven't looked behind the scenes but I suspect they have an obscured password field that the autofill can still see, and simply display that in the next step. I thought Apple did this, but just checked, and no, even with them I have to do the fill twice.

Edvin Malinovskis

@nCrazed@fd00.space · 4 hours ago

@david_chisnall I've been wondering why almost every login form has become this a few years ago.

Is it really just cargo culting? 😐

David Chisnall (*Now with 50% more sarcasm!*)

@david_chisnall@infosec.exchange · 4 hours ago

@nCrazed Either that, or the expectation that they may want to support that flow later. I suspect there are some login widgets in frameworks that are designed for this flow and people just use them without understanding.