Tags: login



Tuesday, February 27th, 2018

Let’s talk about usernames

This post goes into specifics on Django, but the broader points apply no matter what your tech stack. I’m relieved to find out that The Session is using the tripartite identity pattern (although Huffduffer, alas, isn’t):

What we really want in terms of identifying users is some combination of:

  1. System-level identifier, suitable for use as a target of foreign keys in our database
  2. Login identifier, suitable for use in performing a credential check
  3. Public identity, suitable for displaying to other users

Many systems ask the username to fulfill all three of these roles, which is probably wrong.

Sunday, October 16th, 2016

Your Social Media Fingerprint

Clever! By exploiting the redirect pattern that most social networks use for logging in, and assuming that site’s favicon isn’t stored in a CDN, it’s possible to figure out whether someone is logged into that site.

Wednesday, January 28th, 2015

LukeW | Showing Passwords on Log-In Screens

Luke continues to tilt against the windmills of the security theatre inertia that still has us hiding passwords by default. As ever, he’s got the data to back up his findings.

Monday, September 16th, 2013

IndieAuth now supports OpenID delegation! - Aaron Parecki

It’s sad to see MyOpenID shut down, but now I can simply use IndieAuth instead …which means my delegate URL is simply adactio.com: magic!

Tuesday, October 2nd, 2012

Social Login Buttons Aren’t Worth It | MailChimp Email Marketing Blog

A great in-depth explanation by Aarron on why Mailchimp dropped their Facebook and Twitter log-in options. Partly it was the NASCAR problem, but the data (provided by user testing with Silverback) also brought up some interesting issues.

Wednesday, September 26th, 2012


I like this passwordless log in pattern but only for specific use cases: when you know that the user has access to email, and when you don’t expect repeat “snacking” visits throughout the day.

Tuesday, November 24th, 2009

Aza’s Thoughts » Identity in the Browser (Firefox)

Aza Raskin share's some mockups of ideas for incorporating identity management into the browser.

Friday, November 13th, 2009

Log in or sign up? - Leah Culver's Blog

Leah has some great ideas on combing "log in" and "sign up" forms into one.

Friday, September 18th, 2009

Sign up and log in

It’s common practice for sign-up forms to include duplicate fields for either password or email, where the user has to type the same thing twice. I deliberately avoided this on the Huffduffer sign-up form. Not long after Huffduffer launched, I was asked about this ommision on Get Satisfaction and I defended my position there, citing the audience demographic.

I still think I made the right decision although, in retrospect, I’ve changed my position completely from when I said, I can see more value in a ‘confirm your password’ field than a ‘confirm your email address’ field. Thinking about it, getting a correct email address is more important. If a password is entered incorrectly, it can always be reset as long as the site can send a reset link to a valid email address. But if an email address is entered incorrectly, the site has no way of helping a user in difficulty.

Here’s an interesting scripted approach to avoiding duplicate email fields:

The last thing you see before you submit is your own email address.

Sign-up is something that user should only ever experience once on a site. But the log-in process can be one of the most familiar actions that a user performs. A common convention for log-in forms is a “remember me” checkbox. I have one of those on the Huffduffer log-in page, labelled with “remember me on this Turing machine” (hey, I thought it was cute).

Here’s a question from 37 Signals:

Has the time come to kill the “Remember me” check box and just assume that people using shared computers will simply logout?

There are a lot of arguments, both for and against, in the comments. It prompted me to think about this use case on Huffduffer and I’ve decided to keep the checkbox but I’ve now made it checked by default. I think that while there are very good reasons why somebody wouldn’t want a permanent cookie set on the machine they’re using (many of the use cases are mentioned in the comments to that 37 Signals post), the majority of people find it convenient.

It always pays to think about default states in UI. Good defaults are important:

Defaults are arguably the most important design decisions you’ll ever make as a software developer. Choose good defaults, and users will sing the praises of your software and how easy it is to use. Choose poor defaults, and you’ll face down user angst over configuration, and probably a host of tech support calls as well.

Thursday, August 6th, 2009

Chroma-Hash Demo

Another interesting take on assigning a visual clue to password fields.

Monday, February 9th, 2009

Quantum Random Bit Generator Service

There's no such thing as a good CAPTCHA but if there were, these would be ...Best. CAPTCHAs. Ever!

Monday, August 25th, 2008

iphone login screens - a set on Flickr

Screenshots of various log in screens on the iPhone. I think Cindy has been hanging out with Luke W.

iphone login screens

Wednesday, April 9th, 2008

OpenID for Google Accounts

Every Google account can now be an OpenID login thanks to this app built with the Google App Engine.

Tuesday, January 8th, 2008

Yahoo!, Flickr, OpenID and Identity Projection

Looks like Flickr has some interesting plans around OpenID. Our reporter Simon Willison is on the scene.

Thursday, November 1st, 2007

Sign up, get your free BragBucks and start betting in less than a minute on bragster.com

Another sign up form that features hCard input (like Satisfaction). Choose a service (e.g. Flickr, Last.fm, Twitter) or enter your own URL.