loading...

re: Are login forms that ask for your username and password on two different pages more secure? VIEW POST

TOP OF THREAD FULL DISCUSSION
re: This is more secure and has a few extra benefits. Makes generic http(s) form interception much more difficult. Allows synchronous user specific l...
 
  • Do you mean that if you can intercept and decode HTTPS traffic but only on 50% of requests, then you have 25% percent of chance to intercept both username and password?
  • The two-step form already is an added roundtrip, and in addition requires user interaction to it’s a thousand times slower than an Ajax roundtrip;
  • Right. It’s almost as good a feature as the “This password is already used by user SoonToBeP0wned666, please choose another one” error message;
  • Excuse me?
 

Right. It’s almost as good a feature as the “This password is already used by user SoonToBeP0wned666, please choose another one” error message;

To be honest, it's not that much of a difference with the traditional approach when you send e-mail and password at the same time. You'd still receive an error telling you that this e-mail is taken/invalid password, so asking the e-mail first does not make that much of a difference, but it really improves the UX imo (I don't have to go to the register page if the e-mail is not found, the form would change itself on the fly).

Makes generic http(s) form interception much more difficult.

How?

Code of Conduct Report abuse