A place to cache linked articles (think custom and personal wayback machine)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

index.md 17KB

5 years ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107
  1. title: The God Login
  2. url: http://blog.codinghorror.com/the-god-login/
  3. hash_url: fa32abb406282b737d9f0fb65d6ab084
  4. <p>I graduated with a Computer Science minor from the University of Virginia in 1992. The reason it's a minor and not a major is because to major in CS at UVa you had to go through the Engineering School, and I was absolutely not cut out for that kind of hardcore math and physics, to put it mildly. The beauty of a minor was that I could cherry pick all the cool CS classes and skip everything else.</p>
  5. <p>One of my favorite classes, the one I remember the most, was Algorithms. I always told people my Algorithms class was the one part of my college education that influenced me most as a programmer. I wasn't sure exactly why, but a few years ago I had a hunch so I looked up <a href="http://www.cs.cmu.edu/~pausch/Randy/Randy/Vita.html">a certain CV</a> and realized that Randy Pausch – yes, <a href="http://en.wikipedia.org/wiki/The_Last_Lecture">the <em>Last Lecture</em> Randy Pausch</a> – taught that class. The timing is perfect: University of Virginia, Fall 1991, CS461 Analysis of Algorithms, 50 students.</p>
  6. <p>I was one of them.</p>
  7. <p>No wonder I was so impressed. Pausch was an incredible, charismatic teacher, a testament to the old adage that your should choose your teacher first and the class material second, if you bother to at all. It's so true.</p>
  8. <p>In this case, the combination of great teacher and great topic was extra potent, as algorithms are central to what programmers do. Not that we invent new algorithms, but we need to understand the code that's out there, grok why it tends to be fast or slow due to the tradeoffs chosen, and <a href="http://blog.codinghorror.com/everything-is-fast-for-small-n/">choose the <em>correct</em> algorithms</a> for what we're doing. That's essential.</p>
  9. <p>And one of the coolest things Mr. Pausch ever taught me was to ask this question:</p>
  10. <blockquote>
  11. <p>What's the God algorithm for this?</p>
  12. </blockquote>
  13. <p>Well, when sorting a list, obviously God wouldn't bother with a stupid Bubble Sort or Quick Sort or Shell Sort like us mere mortals, God would just immediately place the items in the correct order. Bam. One step. The <a href="http://bigocheatsheet.com/">ultimate lower bound on computation</a>, O(1). Not just fixed time, either, but literally one instantaneous step, <em>because you're freakin' God</em>. </p>
  14. <p><img src="http://blog.codinghorror.com/content/images/2015/01/god-you-asked-for-a-sign.jpg" alt=""/></p>
  15. <p>This kind of blew my mind at the time. </p>
  16. <p>I always suspected that programmers became programmers because <a href="http://blog.codinghorror.com/bridges-software-engineering-and-god/">they got to play God</a> with the little universe boxes on their desks. Randy Pausch took that conceit and turned it into a really useful way of setting boundaries and asking yourself hard questions about what you're doing and why.</p>
  17. <p>So when we set out to build a login dialog for <a href="http://www.discourse.org">Discourse</a>, I went back to what I learned in my Algorithms class and asked myself:</p>
  18. <blockquote>
  19. <p>How would God build this login dialog?</p>
  20. </blockquote>
  21. <p>And the answer is, of course, <strong>God wouldn't bother to build a login dialog at all.</strong> Every user would already be logged into GodApp the second they loaded the page because God knows who they are. Authoritatively, even.</p>
  22. <p>This is obviously impossible for us, because God isn't one of our investors.</p>
  23. <p>But.. how <em>close can we get</em> to the perfect godlike login experience in Discourse? That's a noble and worthy goal.</p>
  24. <p><img src="http://blog.codinghorror.com/content/images/2015/01/discourse-login-dialog.png" alt=""/></p>
  25. <p>Wasn't it Bill Gates who <a href="https://www.commandprompt.com/community/pyqt/x3581">once asked</a> why the hell every programmer was writing the same File Open dialogs over and over? It sure feels that way for login dialogs. I've been saying for a long time that <a href="http://blog.codinghorror.com/cutting-the-gordian-knot-of-web-identity/">the best login is no login at all</a> and I'm a staunch supporter of <a href="http://blog.codinghorror.com/your-internet-drivers-license/">logging in with your Internet Driver's license</a> whenever possible. So we absolutely support that, if you've configured it.</p>
  26. <p><img src="http://blog.codinghorror.com/content/images/2015/01/common-oauth-logins.png" alt=""/></p>
  27. <p>But today I want to focus on the <strong>core, basic login experience: user and password.</strong> That's the default until you configure up the other methods of login.</p>
  28. <p>A login form with two fields, two buttons, and a link on it seems simple, right? Bog standard. It is, until you consider all the ways the simple act of logging in with those two fields can go wrong for the user. Let's think.</p>
  29. <h4 id="lettheuserenteranemailtologin">Let the user enter an email to log in</h4>
  30. <p>The critical fault of OpenID, as much as <a href="http://blog.codinghorror.com/openid-does-the-world-really-need-yet-another-username-and-password/">I liked it</a> as an early login solution, was its assumption that users could accept an URL as their "identity". This is flat out crazy, and in the long run this central flawed assumption in OpenID broke it as a future standard. </p>
  31. <p><strong>User identity is always email, plain and simple</strong>. What happens when you forget your password? You get an email, right? Thus, email is your identity. Some people even propose <a href="http://notes.xoxco.com/post/27999787765/is-it-time-for-password-less-login">using email as the only login method</a>.</p>
  32. <p><img src="http://blog.codinghorror.com/content/images/2015/01/discourse-log-in-email.png" alt=""/></p>
  33. <p>It's fine to have a username, of course, but <em>always</em> let users log in with either their username or their email address. Because I can tell you with 100% certainty that when those users forget their password, and they will, all the time, they'll need that email anyway to get a password reset. Email and password are strongly related concepts and they belong together. Always!</p>
  34. <p>(And a fie upon services that don't allow me to use my email as a username or login. I'm looking at you, Comixology.)</p>
  35. <h4 id="telltheuserwhentheiremaildoesntexist">Tell the user when their email doesn't exist</h4>
  36. <p>OK, so we know that email is de-facto identity for most people, and this is a logical and necessary state of affairs. But <em>which</em> of my 10 email addresses did I use to log into your site? </p>
  37. <p>This was the source of a <a href="https://meta.discourse.org/t/different-password-reset-for-wrong-username-email/15909">long discussion at Discourse</a> about whether it made sense to reveal to the user, when they enter an email address in the "forgot password" form, whether we have that email address on file. On many websites, here's the sort of message you'll see after entering an email address in the forgot password form:</p>
  38. <blockquote>
  39. <p>If an account matches <a class="__cf_email__" href="http://blog.codinghorror.com/cdn-cgi/l/email-protection" data-cfemail="f89699959db89d80999588949dd69b9795">[email protected]</a>, you should receive an email with instructions on how to reset your password shortly.</p>
  40. </blockquote>
  41. <p>Note the coy "if" there, which is a <a href="http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html">hedge against all the security implications of revealing whether a given email address exists on the site</a> just by typing it into the forgot password form. </p>
  42. <p>We're deadly serious about picking safe defaults for Discourse, so out of the box you won't get exploited or abused or overrun with spammers. But after experiencing the real world "which email did we use here again?" login state on dozens of Discourse instances ourselves, we realized that, in this specific case, being user friendly is <em>way</em> more important than being secure.</p>
  43. <p><img src="http://blog.codinghorror.com/content/images/2015/01/forgot-password.png" alt=""/></p>
  44. <p>The new default is to let people know when they've entered an email we don't recognize in the forgot password form. This will save their sanity, and yours. You can turn on the extra security of being coy about this, if you need it, via a site setting.</p>
  45. <h4 id="lettheuserswitchbetweenloginandsignupanytime">Let the user switch between Log In and Sign Up any time</h4>
  46. <p>Many websites have started to show login and signup buttons side by side. This perplexed me; aren't the acts of logging in and signing up very different things? </p>
  47. <p>Well, from the user's perspective, they don't appear to be. This Verge login dialog illustrates just how close the sign up and log in forms really are. Check out this animated GIF of it in action.</p>
  48. <p><img src="http://blog.codinghorror.com/content/images/2015/01/login-vs-sign-up.gif" alt=""/></p>
  49. <p>We've acknowledged that similarity by having either form accessible at any time from the two buttons at the bottom of the form, as a toggle:</p>
  50. <p><img src="http://blog.codinghorror.com/content/images/2015/01/login-vs-create-new-account.png" alt=""/></p>
  51. <p>And both can be kicked off directly from any page via the Sign Up and Log In buttons at the top right:</p>
  52. <p><img src="http://blog.codinghorror.com/content/images/2015/01/sign-up-vs-log-in-discourse.png" alt=""/></p>
  53. <h4 id="pickcommonwords">Pick common words</h4>
  54. <p>That's the problem with language, we have so many <em>words</em> for these concepts:</p>
  55. <ul>
  56. <li>Sign In</li>
  57. <li>Log In</li>
  58. <li>Sign Up</li>
  59. <li>Register</li>
  60. <li>Join &lt;site&gt;</li>
  61. <li>Create Account</li>
  62. <li>Get Started</li>
  63. <li>Subscribe</li>
  64. </ul>
  65. <p>Which are the "right" ones? <a href="http://ux.stackexchange.com/questions/1080/using-sign-in-vs-using-log-in">User research data isn't conclusive</a>.</p>
  66. <p>I tend to favor the shorter versions when possible, mostly because I'm a fan of the whole brevity thing, but there are valid <a href="http://uxmovement.com/buttons/why-sign-up-and-sign-in-button-labels-confuse-users/">cases to be made</a> for each depending on the circumstances and user preferences.</p>
  67. <p><img src="http://blog.codinghorror.com/content/images/2015/01/bad-okay-good-login-buttons.png" alt=""/></p>
  68. <p>Sign In may be slightly more common, though Log In has some <a href="http://www.designcult.org/2011/08/why-do-we-call-in-logging-in.html">nautical and historical computing basis</a> that makes it worthy:</p>
  69. <blockquote>
  70. <p>A couple of years ago I did a survey of top websites in the US and UK and whether they used “sign in”, “log in”, “login”, “log on”, or some other variant. The answer at the time seemed to be that if you combined “log in” and “login”, it exceeded “sign in”, but not by much. I’ve also noticed that the trend toward “sign in” is increasing, especially with the most popular services. Facebook seems to be a “log in” hold-out. </p>
  71. <p><img src="http://blog.codinghorror.com/content/images/2015/01/log-in-vs-sign-in-graph.png" alt="" title=""/></p>
  72. </blockquote>
  73. <h4 id="workwithbrowserpasswordmanagers">Work with browser password managers</h4>
  74. <p>Every login dialog you create should be tested to work with the default password managers in …</p>
  75. <p>At an absolute minimum. Upon subsequent logins in that browser, you should see the username and password automatically autofilled.</p>
  76. <p><img src="http://blog.codinghorror.com/content/images/2015/01/log-in-autofill.png" alt=""/></p>
  77. <p>Users rely on these default password managers built into the browsers they use, and any proper modern login form should respect that, and be designed sensibly, e.g. the password field should have <code>type="password"</code> in the HTML and a name that's readily identifable as a password entry field.</p>
  78. <p>There's also <a href="https://lastpass.com/">LastPass</a> and so forth, but I generally assume if the login dialog works with the built in browser password managers, it will work with third party utilities, too.</p>
  79. <h4 id="handlecommonusermistakes">Handle common user mistakes</h4>
  80. <p>Oops, the user is typing their password with caps lock on? You should let them know about that.</p>
  81. <p><img src="http://blog.codinghorror.com/content/images/2015/01/password-entry-caps-lock-is-on.png" alt=""/></p>
  82. <p>Oops, the user entered their email as <a class="__cf_email__" href="http://blog.codinghorror.com/cdn-cgi/l/email-protection" data-cfemail="e38d828e86a3848e828fcd808c8e">[email protected]</a> instead of <a class="__cf_email__" href="http://blog.codinghorror.com/cdn-cgi/l/email-protection" data-cfemail="e48a858981a48389858d88ca878b89">[email protected]</a>? Or <a class="__cf_email__" href="http://blog.codinghorror.com/cdn-cgi/l/email-protection" data-cfemail="305e515d5570585f445d51595c1e535d">[email protected]</a> instead of <a class="__cf_email__" href="http://blog.codinghorror.com/cdn-cgi/l/email-protection" data-cfemail="620c030f07220a0d160f030b0e4c010d0f">[email protected]</a>? You should either fix typos in common email domains for them, or let them know about that.</p>
  83. <p>(I'm also a big fan of <a href="http://answers.microsoft.com/en-us/ie/wiki/ie11-iewindows8_1/the-use-of-the-password-reveal-eye-button-in/19a9dee2-fb0c-4c26-a6bc-ac02cf98d80e">native browser "reveal password" support</a> for the password field, so the user can verify that she typed in or autofilled the password she expects. Only Internet Explorer and I <em>think</em> Safari offer this, but all browsers should.)</p>
  84. <h4 id="helpuserschoosebetterpasswords">Help users choose better passwords</h4>
  85. <p>There are many schools of thought on <s>forcing</s> helping users choose passwords that aren't unspeakably awful, e.g. <a href="http://blog.codinghorror.com/dictionary-attacks-101/">password123 and iloveyou and so on</a>. </p>
  86. <p>There's the common password strength meter, which updates in real time as you type in the password field.</p>
  87. <p><img src="http://blog.codinghorror.com/content/images/2015/01/dropbox-password-strength-meters.png" alt=""/></p>
  88. <p>It's clever idea, but it gets awful preachy for my tastes on some sites. The implementation also leaves a lot to be desired, as it's left up to the whims of the site owner to decide what password strength means. One site's "good" is another site's "get outta here with that Fisher-Price toy password". It's frustrating.</p>
  89. <p>So, with Discourse, rather than all that, I decided we'd default on a solid absolute minimum password length of 8 characters, and then verify the password to make sure it is not one of the <a href="http://thepasswordproject.com/">10,000 most common known passwords</a> by checking its hash.</p>
  90. <p><img src="http://blog.codinghorror.com/content/images/2015/01/create-new-account-password-too-common.png" alt=""/></p>
  91. <h4 id="dontforgetthekeyboard">Don't forget the keyboard</h4>
  92. <p>I feel like keyboard users are a dying breed at this point, but for those of us that, when presented with a login dialog, like to rapidly type</p>
  93. <p><kbd><a class="__cf_email__" href="http://blog.codinghorror.com/cdn-cgi/l/email-protection" data-cfemail="cca2ada1a98ca9b4ada1bca0a9e2afa3a1">[email protected]</a></kbd>, <kbd>tab</kbd>, <kbd>p4$$w0rd</kbd>, <kbd>enter</kbd></p>
  94. <p>… <em>please</em> verify that this works as it should. Tab order, enter to submit, etcetera.</p>
  95. <h4 id="ratelimitallthethings">Rate limit all the things</h4>
  96. <p>You should be <a href="http://blog.codinghorror.com/rate-limiting-and-velocity-checking/">rate limiting everything users can do, everywhere</a>, and that's especially true of the login dialog.</p>
  97. <p>If someone forgets their password and makes 3 attempts to log in, or issues 3 forgot password requests, that's probably OK. But if someone makes a thousand attempts to log in, or issues a thousand forgot password requests, that's a little weird. Why, I might even venture to guess they're possibly … <em>not human</em>.</p>
  98. <p><img src="http://blog.codinghorror.com/content/images/2015/01/too-many-failed-log-in-attempts.png" alt=""/></p>
  99. <p>You can do fancy stuff like temporarily disable accounts or start showing a CAPTCHA if there are too many failed login attempts, but this can easily become a griefing vector, so be careful.</p>
  100. <p>I think a nice middle ground is to insert standard pauses of moderately increasing size after repeated sequential failures or repeated sequential forgot password requests from the same IP address. So that's what we do.</p>
  101. <h4 id="stuffiforgot">Stuff I forgot</h4>
  102. <p>I tried to remember everything we went through when we were building our ideal login dialog for Discourse, but I'm sure I forgot something, or could have been more thorough. Remember, <a href="https://github.com/discourse/discourse">Discourse is 100% open source</a> and by definition a work in progress – so as my friend <a href="http://tirania.org/blog/">Miguel de Icaza</a> likes to say, when it breaks, you get to keep both halves. Feel free to test out our implementation and give us your feedback in the comments, or point to other examples of great login experiences, or cite other helpful advice.</p>
  103. <p>Logging in involves a simple form with two fields, a link, and two buttons. And yet, after reading all this, I'm sure you'll agree that it's deceptively complex. Your best course of action is not to build a login dialog at all, but instead rely on authentication from an outside source whenever you can.</p>
  104. <p>Like, say, God.</p>