56
The Things Users Would Appreciate In Mobile Apps — Smashing Magazine (www.smashingmagazine.com)
submitted 5 months ago by starman@programming.dev to c/programming@programming.dev
10 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[-] jadero@programming.dev 20 points 5 months ago

And yet more sites do it, even on desktop. As far as I can tell, most of them are also doing it in a way that breaks security by validating the username before asking for the password.

[-] Ephera@lemmy.ml 10 points 5 months ago

I know that single sign-on can be integrated that way.

For example, let's say you work at Wheezecakes Inc. and want to log into your programming.dev account. Then you'd type your e-mail address, jadero@wheezecakes.com, into the username field and hit enter.

The webpage sends that to the server, which realizes that you're a Wheezecakes employee, so it redirects you to login.wheezecakes.com or whatever SSO provider is in use, you log in there (or ideally already have a login cookie), and then programming.dev just gets told that, yeah, you're authenticated to login.

So, while it's obviously possible that webpages genuinely do this wrong, you're probably seeing such SSO integration and they're not actually validating the username ahead of time.

[-] jadero@programming.dev 8 points 5 months ago

I have seen some that seem to be doing that kind of thing, but many others that will reject a bad username before asking for a password.

To double check, I just now tried putting a known bad email address into the username field for amazon.ca and was not then asked for a password, but told that no account could be found.

My possibly flawed understanding of login security is that a failed login should reveal nothing about why the login failed in order to prevent information leakage that can be exploited.

[-] Ephera@lemmy.ml 4 points 5 months ago

Hmm, interesting.

And yeah, that is my understanding, too. If an attacker knows that a certain e-mail address has an account associated, they might try to bruteforce the password or send a phishing mail to that e-mail address, which looks like an official mail from Amazon.

I'm guessing, Amazon requires 2FA, which would protect from this to some degree, but still seems unnecessary to hand out information like that.

[-] jadero@programming.dev 2 points 5 months ago

Amazon allows 2FA, but I'm pretty sure they don't require it.

this post was submitted on 07 Apr 2024
56 points (96.7% liked)

Programming

16991 readers
152 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 1 year ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
MaungaHikoi@lemmy.nz