> don't have a form with just a login email and force the user to click to enter the password
This is required for any non trivial auth system though. You not know until the user is submitted if that user has a password or is using something else.
There is no pair for the enterprise users signing in with their company's SSO or those using Passkey.
I think what some sites do is have a visually hidden, not required password field that a password manager can fill in. If it's not a password-based auth, the flow goes to the next step but if it is, it reveals the password field which may already be filled in.
If someone enters a username that doesn't exist in the system then you randomly prompt for password or alternate method, so it looks like an account may exist.
Username enumeration isn't usually considered a vulnerability, but it does make other attacks, like credential stuffing, easier. I.E. you can focus attack resources on usernames that have active accounts.
It's very low on my list of concerns though, usually there's much worse problems when I pentest.
> Or how many sites that have a form with only one input don't automatically focus on it.
That's one example where the "web stack" expects every single website to implement things manually that were standard in native UI toolkits. Then of course the majority of websites will not deem it a priority or not realize it's a thing to consider at all - and we end up in a situation like this.
As someone who's built just that, can confirm. If users have SSO configured, or a Passkey, or any other policies apply, you first need to identify the account to be able to determine which options to offer - maybe they don't even have a password in the first place, so displaying the field would cause confusion. As a side effect, this also conveniently allows to check for blocked accounts.
That's debatable. Every best-practice arose to solve a real problem within a context, and is only "best" if that context applies.
If you apply best-practices without a regard for that context, you end up with a dull, cargo-culted checklist of must-haves to beat people over the head with, without deriving any true human value.
The compiler of this artifact is making a judgement call[0] of what best practices apply somewhat universally (to every "decent website"). I haven't yet been convinced of their standing or judgement to make that decision.
[0]: Charitably, I'm assuming they have, rather than, e.g. delegating the judgement to an opaque model's weights.
They should have mentioned Tyrolian (Austrian) loden, a densely woven and felted wool that is reasonably water-resistant. Since that comes from the weaving, it does not require regular reproofing unlike a waxed cotton trench coat. I have a coat that is the best of both worlds, loden with a Gore-Tex membrane.
I also have a lighter weight Ventile raincoat by Private White VC that is absolutely phenomenal. I wish more brands would adopt it and democratize the fabric.
A Gl.iNet GL-MT300N-V2 Mango costs $30 and does it far better. It’s also great for VPN-enabling a device with no VPN support like a smart TV or streaming box.
Palantir revolutionized the enterprise software playbook (more government than enterprise, but I digress) by investing heavily in Forward Deployed Engineers, Palantir engineers deployed at customer sites and working hand in hand with engineers at the customers to make it happen. Most software companies pay only lip service to customer success, and seldom provide any engineering after pre-sales.
You don't have to like the company to respect the hustle. I deem them utterly despicable, on par with IBM who sold the Nazis the tools to round up and exterminate Jews during the Holocaust, and indeed their UK division is run by the grandson of Oswald Mosley, founder of the British Union of Fascists.
Yes, the law of conservation of social capital applies in the UK. There is this inexplicable fascination with the despicable Mitford Sisters (one of which was Oswald's wife). The Germans don't pine for the glamor of Leni Riefenstahl.
- use standard input field names password managers recognize - disable autocompletion and autocapitalization on the login field
- if it's an email, use the correct HTML5 input type
- don't have a form with just a login email and force the user to click to enter the password
- follow NIST SP 800-53, e.g. no SMS 2FA and no arbitrary password rotation and composition rules
Or how many sites that have a form with only one input don't automatically focus on it.
reply