Do you mean that if you can intercept and decode HTTPS traffic but only on 50% of requests, then you have 25% percent of chance to intercept both username and password?
The two-step form already is an added roundtrip, and in addition requires user interaction to it’s a thousand times slower than an Ajax roundtrip;
Right. It’s almost as good a feature as the “This password is already used by user SoonToBeP0wned666, please choose another one” error message;
Right. It’s almost as good a feature as the “This password is already used by user SoonToBeP0wned666, please choose another one” error message;
To be honest, it's not that much of a difference with the traditional approach when you send e-mail and password at the same time. You'd still receive an error telling you that this e-mail is taken/invalid password, so asking the e-mail first does not make that much of a difference, but it really improves the UX imo (I don't have to go to the register page if the e-mail is not found, the form would change itself on the fly).
Makes generic http(s) form interception much more difficult.
How?
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
To be honest, it's not that much of a difference with the traditional approach when you send e-mail and password at the same time. You'd still receive an error telling you that this e-mail is taken/invalid password, so asking the e-mail first does not make that much of a difference, but it really improves the UX imo (I don't have to go to the register page if the e-mail is not found, the form would change itself on the fly).
How?