Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Theoretical question here:
How do people feel about the restrictions that registration forms have for users' passwords? Meaning, is it wise to make a condition that the user must have a capital letter, a number and a special character? I recognize that those conditions usually would require users to make a more secure password, but would that be annoying to a majority of users (it annoys me that a website assumes I do not have the capacity to create a secure password)? Any opinions one way or the other?
Yes, pretty much. You should also make a JS script to check for the password strength while user is typing it in. Just to inform the user and not let him submit it before a certain strength level is reached.
I would recommend some sort of password requirement to ensure basic security. However, making the requirements too stringent will hurt usability and, if they're encountering a rule they're not familiar with, could force them to create a new password which they could later forget. My advice would be to look over the requirements for popular websites such as Google, Facebook, etc. to get an idea of common requirements. If they've already encountered whatever requirements your website uses, they're less likely to get upset and can reuse memorized passwords.
Note: I know password reuse is a bad idea, but the majority of internet users don't want to memorize a new password for each site they create an account for, and it's therefore best from a usability perspective to allow them to do so.
You should also be careful about what characters you are going to allow in the password. Some secure input controls only allow ascii.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
Social media sign in has become popular to use on websites, but what negatives are there with its use?
Does integration add trackers to your site?
Does it slow overall performance?
Are some social media logins better than others?
I haven't found much info on this online, and all the data I've seen is on conversions and marketing. I'd love to hear facts from the development side.
Edit: I'm feeling confused by the downvotes. How is my question bad or irrelevant? Social sharing buttons were all the rage but most people agree now that it isn't worth it, even though it seemed at first to have great results; and from the development side, it slowed page loading and added trackers to our sites.
The companies most excited about the buttons before, as I recall, were companies selling ways to add a ton of those buttons to your site; and most of the advocates I see now are similarly marketing products that allow you to add a ton of buttons. I'm asking what login does from an angle other than popular marketing.
Using OpenID for login is great because you don't have to remember many different logins, and even though there are some minor problems, I don't think you shouldn't use it (I'll use Facebook as an example here):
The user has to trust you. Maybe you want read access, so you could read what you wrote on Facebook. You could use the data for marketing, even if you just get his ID.
The user (and you) has to trust Facebook. They know on which page the user is logged on (you got a shop for dog food? the user will get ads for dog food as soon as he logs in!), and they could even log in as the user himself - theoretically, of course.
You are missing information like mail address and other things. There are workarounds, and they are working.
Don't ever (!) use only OpenID login or something similar (exception: you need to actually do things with the data you get - e.g. twitter bots)! You're forcing users to sign up for a social network they don't want. YouTube did this, and it wasn't very successful (except for the fact that there are "millions" of G+ users... Yeah.)
Except for that, I don't see anything wrong with OpenID login. Many big pages use it, and as long as the user has the possibility to log in conventionally, why shouldn't you use it?
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
There is a password generator that generates passwords based on known rules (a minimum of 10 characters in length, at least 1 of each of uppercase, lowercase, and numeric characters).
No ability to see the source code for this generator. I am just able to generate passwords and automate this process.
How would you test if this generator provides unique passwords assuming each password meets rules specified?
Thanks,
Racoon.
It does not generate unique passwords - that much I can guarantee you.
If you run this password generator a hundred billion times, what are you expecting to be true of the output? Are you really expecting that every one of those hundred-billion passwords will be different?
If what you're instead trying to ask is whether the passwords will be reasonably unique, then you need to define what you mean by 'reasonably unique'.
It also depends on the nature of the rules you specify for generating these passwords. If you specify a maximum length for passwords, then you have by definition set an upper limit on how many unique passwords there even are. Even if you don't, the only way you're getting guaranteed-unique passwords is if said passwords are allowed to grow to lengths that will make them totally impractical to use.
I think my question was incorrect. Every password generator sooner or later provides a value that have been earlier. Better think of randomness than unuqueness.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
My friend easily finding my password,using firebug..i.e when i am in login page ,my friend using inspect element to find the password element and he changes the type="password" to type="text",now its shows the password...how to avoid this????
Obviously your friend can only do this if he can get to your PC while it's got the page loaded and mess around in Firebug. And then, since all he's done is make the password characters visible, to find out what your password is he has to stand over your shoulder to watch you type it.
This sounds more like a prank than a serious hack attempt. There are much worse ways to get hacked than that, especially if someone has direct access to your PC while you're logged in.
If you're writing a web site, and you're really worried about this sort of thing, there are steps you can take to prevent it.
For example, instead of asking the user to enter their whole password, you could give them a set of text boxes and ask them to enter just a few random characters from their password -- eg you could ask them to enter the first, fourth and eighth characters. This means that even if someone was watching what they typed, they'd only find out part of the password, which would be useless to them next time when the site asked for a different set of characters.
There are, of course, flaws in this scheme too, and it's a lot more of a hassle for the user, but it is considered more secure.
But typically it's only banking sites and the like that go to this sort of length to protect passwords. Most normal sites don't need this sort of level of security.
The best solution is to .. not store your passwords in your browser.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
I am going to be taking over from a developer here at work soon. Hence, I'll be supporting all the applications that he has written over the last few years.
My question is, when supporting an application that you probably don't know much about, what kind of documentation is most helpful to get a handle on how to fix problems, extend functionality, modify functionality, etc? I'm thinking it would need to give you an overview of what the software does, what interfaces it has to other software, what databases it uses, usernames, passwords, and so on.
Is there such a thing as a software support document? Referrals to any templates would be most helpful.
BTW, unfortunately, there are no requirements documents, specs, etc! So, really my question is, if my colleague had a day to write a single document for each application so that I could (more easily) support it, what would that document be and/or what would it look like?
I would ask for primarily some sort of flow chart/schema of the way the app functions.
I would want to be able to know how each file interacts with other files (and the database). So this way, you'd know where to start to fix a bug or add a new feature, etc.
So to do a quick, text mockup of it:
Index.php -> Login.php -> Dashboard.php
Index.php:
Has login box. Submits login into to login.php
Login.php:
Verifies data with database entries, shows error on fail or sends to Dashboard.php
Dashboard.php:
Once logged in this acts as a main menu
Something along these lines? For basic documentation I'd think this is the way to go.
Hope this helps. Good luck!
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Before I go crazy and try to script a way to lock folks out of their accounts on multiple failed attempts, is a captcha ideal? I've seen several sites that do this, but wasn't sure how effective it would be. Granted, if a human is indeed trying to "hack" into someone else's account, I would think blocking access for a few minnutes would be much better than having them input some random obscure characters.
CAPTCHAs are a common solution. They're rarely ideal.
One suggestion: Offer x chances (say 3) at which point you lock the account and then require some sort of email validation to unlock.
Otherwise, I think giving 1 or 2 freebie chances is fine and then switching over to a CAPTCHA'd login is acceptable.
If you aren't having spambot problems, CAPTCHA's are rarely a good solution. They are just annoying. I agree with DA's email verification idea.