loading...

re: Are login forms that ask for your username and password on two different pages more secure? VIEW POST

FULL DISCUSSION
 

This is more secure and has a few extra benefits.

  • Makes generic http(s) form interception much more difficult.
  • Allows synchronous user specific logic defined by the server without the need for preset JavaScript or an added roundtrip.
  • Debatably improves UX
    • ex. Add logic to determine if the user exists, and if not show them the registration form instead of requesting a password. !!! Please note the security risk involved with doing this!!!
  • Cleans up the page

I would like to add in addition that you can accomplish the second bullet point using Javascript alternatively.
For example, you could add Javascript logic to listen for changes to the email text input, and conditionally redirect the user if they put an email with specific domain(s).

 
  • Do you mean that if you can intercept and decode HTTPS traffic but only on 50% of requests, then you have 25% percent of chance to intercept both username and password?
  • The two-step form already is an added roundtrip, and in addition requires user interaction to it’s a thousand times slower than an Ajax roundtrip;
  • Right. It’s almost as good a feature as the “This password is already used by user SoonToBeP0wned666, please choose another one” error message;
  • Excuse me?
 

Right. It’s almost as good a feature as the “This password is already used by user SoonToBeP0wned666, please choose another one” error message;

To be honest, it's not that much of a difference with the traditional approach when you send e-mail and password at the same time. You'd still receive an error telling you that this e-mail is taken/invalid password, so asking the e-mail first does not make that much of a difference, but it really improves the UX imo (I don't have to go to the register page if the e-mail is not found, the form would change itself on the fly).

Makes generic http(s) form interception much more difficult.

How?

Code of Conduct Report abuse