I concur completely with Luke’s assessment here. Most password-masking on the web is just security theatre. Displaying password inputs by default (but with an option to hide) should be the norm.
I like this passwordless log in pattern but only for specific use cases: when you know that the user has access to email, and when you don’t expect repeat “snacking” visits throughout the day.
Andy sounds a cautionary note: the password anti-pattern may be dying, but OAuth permission-granting shouldn’t be blasé. This is why granular permissions are so important.
Dana has put together an excellent grab-bag of data on people’s password habits.
A fascinating explanation of why Instapaper is migrating away from its passwordless sign-up.
A quick way of leaving Facebook, Twitter, Linked In and MySpace. It uses the password anti-pattern but after using this, I guess you won't be needing that password again.
Another interesting take on assigning a visual clue to password fields.
Here's an interesting idea: generating a sparkline when you input a password ...familiarity with the generated sparkline acts as a visual aid to the user.
And this, boys and girls, is why the password anti-pattern is bad, m'kay?
A PMOG mission where players learn about the password anti-pattern.
Twitter's promotion of the password anti-pattern bites them on the ass.
David has written an excellent comparison of the two differing mindsets when approaching online authentication. In no uncertain terms, OAuth (or an OAuth style authentication) is right and the password anti-pattern is wrong, wrong, wrong.
I never thought I'd find myself linking to and agreeing with a post on TechC*nt but it's good to see somebody pointing out Facebook's hypocrisy with using the password anti-pattern.
A good overview of the OpenID panel at OSCON: "Is OpenID a panacea, a placebo, or something in between? Opposing viewpoints took turns on center stage Wednesday afternoon at OSCON 2008. The session entitled "A Critical View of OpenID" started off â€¦
Good Reads is responsible for one of the most egregious abuses of trust â€” using the password anti-pattern to spam your address book. Micki has the details.
An excellent rant by Jeff Atwood that explains just why the password anti-pattern is such an abhorrent practice: "How did we end up in a world where it's even remotely acceptable to ask for someone's email credentials?"
You can know use an API (with BBAuth) to get contact Yahoo account contact details. There really is no excuse now for still using the password anti-pattern.
Now this is how to do the "find your friends" trick. For GMail, Yahoo Mail, and Hotmail, Flickr never once asks for your password. Bravo!
Aral points to what is possibly the most egregious password anti-pattern implementation yet: a new startup called Spokeo http://www.spokeo.com/public/join
A cautionary tale that explains just why the password anti-pattern needs to die. Coding horror indeed: in this case, 1,777 GMail accounts were compromised.
Leisa joins in on the password anti-pattern. As she says, this is a question of ethics. I've already made my position clear to my colleagues and clients. Have you?
Bug 330884 - When different users on one system choose to save or not save passwords for sites, any other user can see sites they not only saved passwords for but can also see what other users have been saving/never saving passwords for.
The guy who submitted this Mozilla bug writes "This privacy flaw has caused my fiancé and I to break-up after having dated for 5 years."