We're all developers here so I couldn't agree more. Still, I'm running a commercial website so I'm a slave to what my users want. As far as my customers are concerned, security comes second after ease of use...
Anyway, you have to admit that the examples I gave in the first post are misleading in terms of user experience, right ? Isn't there a way to improve it without compromising security too much ? I can see one : erasing input fields after each validation failure (blank fields are less misleading). Do you see other ? Le 25 juil. 2014 à 15:19, Willoughby <[email protected]> a écrit : > A simple google search will yield people complaining about their host > accounts getting hacked on airbnb. > Just because someone or something large 'does it that way' doesn't mean it's > a best practice! > > On Friday, July 25, 2014 9:08:00 AM UTC-4, Louis Amon wrote: > I don't see much of a security threat here. > What's the worst-case scenario ? > > If you take a look at airbnb.com, their registration form keeps your typed > password even if you fail validation on other fields. > > If a website that big can do it then surely my small website will pull > though, don't you think ? > > Le 25 juil. 2014 à 14:47, Niphlod <[email protected]> a écrit : > >> so you really want the webpage to return the actual password instead of >> asterisks ? it's a big security risk, no matter what user experience >> says..... >> >> On Friday, July 25, 2014 10:53:40 AM UTC+2, Louis Amon wrote: >> I'm trying to improve user exprerience on my website and I noticed a rather >> annoying behavior on password fields : >> >> If I type a password longer than 8 characters and somehow my form fails >> (some other field didn't validate), my password gets replaced by "********" >> in request.vars.password. >> >> For example : >> I try to login and misstype my username --> login form fails. >> I correct the mistake in the username and press the submit button again --> >> login still fails, because the password got replaced by '*********' under >> the hood. >> >> Another example: >> I try to register and type my password but mistyped my password verification >> (password_two) --> register form fails. >> I focus the password_two field and retype my password --> register still >> fails because the original password field got replaced... >> >> This behavior is extremely frustrating for users as they can't print >> request.vars.password like a developper would. All they see is obfuscated >> passwords. >> I cannot have this on my commercial website. >> >> >> Is there any way to fix this ? >> >> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "web2py-users" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to a topic in the Google > Groups "web2py-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/web2py/T1vfDXDgsmE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
