https://kotlinlang.org logo
Join Slack
Powered by
Random security question. Form “I forgot my passwo...
# random
o
Random security question. Form “I forgot my password” (properly) shows this after submit:
If there is an account associated with <your email> you will receive an email with a link to reset your password.
This doesn’t give potential attacker any information if the address is registered or not. But what would be a proper error message for when you register new account and email is already there?
k
l
I think I once read an article (or a book? 🤔 )that UX beats “Security” in this case. I see if I can find it
takes the same line as “visible password by default”
k
Visible password by default? What?
l
it’s like 99% of the time nobody is actually watching you while you enter your password
k
Right and so that 1% you forget to check it... I honestly hoped that article was satire.
I'm all in favour of providing the option to show it, but not by default.
l
the article is a little old, and the conclusion is not taking mobile into consideration (where you are being watched all the time). for desktop I agree. however typing a password is on mobile is so damn awkward, that I always enable the “see pasword” option
k
Hmm
Password masking has proven to be a particularly nasty usability problem in our testing of mobile devices, where typing is difficult and typos are common. But the problem exists for desktop users as well.
l
woops
k
You usually get to see the last typed character for a bit, right?
l
yeah, but I don’t type the pw letter by letter.
Anyway, I would definitely not start criticizing the results of their usability studies. the conclusion is obviously up for discussion
@karelpeeters btw I found that:
>> Offer the option of showing passwords in clear. However, unmasking does not need to be the default for login. Although we advocated for this practice for a long time, only recently sites and apps have started adopting it, and some users can feel unsecure when seeing the password characters in clear. That is why, at this stage, we recommend masking the password by default and presenting users with a Show password checkbox that allows them to unmask it.
now we’re both happy 😉
k
Right that's a good middle ground ☺️
o
Or just use 1password with touchID auth 🙂
👍 1
e
or lastpass, yeah. i never type my passwords in anymore. i don't even know most of them.
k
That's another password manager? Is it better than Lastpass?
e
1password is pretty nice. their windows client sucked last time I used it.
t
@lovis it’s like 99% of the time nobody is actually watching you while you enter your password
if you don't mask, some mobile keyboards will store and predict your password
l
don’t know about iOS, but for android the inputType for the TextView is called 
textVisiblePassword
nothing will be stored/predicted (actually, that’s the only thing that works for all manufacturers! 🙄 )
t
i meant for 
<input>
elements, the article seemed to be discussing web rather than native
when it comes to native i have no clue
l
you’re right
b
Well, both in native or through the webview, a malicious keyboard app can store your password or anything you type
Changing the input type can't prevent that
the input type is only giving hints to the keyboard of how they should work, not storing it, or showing just numbers
but if the keyboard wants to store/log/process your input, its gonna do it anyway
👍 1
t
sure, but the non-malicious ones won't know that it's a password unless you use the correct type.. so in general i think it's a very bad idea to not mask passwords
b
That among other things is why now I cant live with a phone witouth a good fingerprint reader
@tipsy Sure, allthough I dont think any keyboard should store what I type by default regardles of where Im typing
k
That allows it to give better suggestions in the future and to suggest typo fixes.
b
Yeah I know, but when I add the word to the dictionary manually, not by default
Im not saying a keyboard shouldnt process the input, im talking about storing what I type
Like that story about swiftkey suggesting the bank password to someone who was typing an email or something 😄
I know the bank should have tagged the password input, but its still annoying
2 Views
Open in Slack
PreviousNext
Powered by