Sign-up form best practices

Поділитися
Вставка
  • Опубліковано 27 лис 2024

КОМЕНТАРІ • 53

  • @DenisTRUFFAUT
    @DenisTRUFFAUT 4 роки тому +6

    Federated logins and password managers are totally adapted when you want to reduce friction, but are not exactly E2E encryption friendly, nor Intelligence Agencies safe. Great summary by the way. Special Kudos for the "Do not ask users to change password", OWASP mention, unicode regexp.

  • @novaria
    @novaria 4 роки тому +20

    This was great to listen to. Easily digestable and informative.

  • @mpoisot
    @mpoisot 3 роки тому +3

    I'd like to hear your comments on "security questions". It seems like every bank requires them.

  • @Oswee
    @Oswee 4 роки тому +39

    The real elephant in the room is the Identity Providers who does the behavior tracking of my user base.

    • @marcframe7449
      @marcframe7449 3 роки тому +2

      I never really realized that this could be an issue. I haven't been able to find a good source to read more on this. Do you have anything I could read?

    • @Oswee
      @Oswee 3 роки тому

      @@marcframe7449 Just think of basic http request. How much info you can collect? Time, device, ip, location, regularity, etc, etc. On top of that how much users use this auth method. Why does this service exists? And for free. Just out of a good will? I don't think any of those providers will tell you what they do with this data behind the scenes.

    • @marcframe7449
      @marcframe7449 3 роки тому +3

      @@Oswee ya I completely agree, the whole mantra "if you aren't paying, you're the product" is definitely true. I was just wondering if you knew of an indepth explanation of this.
      federated login is unfortunately wayyy too convenient, so I don't see this going away. I think that password managers are like half the way there, but the average user will still prefer a one click solution over the 3-5 clicks it takes for a password manager to create an account.
      Now that I think of it, I probably shouldn't even be using Chrome's built in password manager.
      I'd like to see these companies commit to not tracking the use of the federated identities, perhaps this will be something pushed by Apple with their identity provider.

    • @Oswee
      @Oswee 3 роки тому +2

      @@marcframe7449 ... i have no any metrics... but... it could be interesting just to measure the new subscription rate increase when 3rd party provider is enabled vs when it is not. Stickiness. Churn... etc. I personally don't think that just this one option will increase user base/loyalty vs in-house auth. Or the difference will be insignificant. Thou... i need to make deeper research.
      Also... it all strongly depends on the app type.
      I mostly work in enterprise app space.
      If some day i will enable Google API... i will instantly loose all my customers. :) Can you imagine some bank enabling Google Oauth??? Or warehouse management system, etc. Or government Tax Office? I can't.
      For the low value products like endless ToDo lists, calendars, cat picture galleries, blogs and other time waster apps/pages it's probably OK to enable 3rd party Oauth as the whole business model is based on the advertisements.

    • @Cassp0nk
      @Cassp0nk 3 роки тому

      Apparently Facebook use this to monitor businesses who may be competitors and use it to either copy their products or buy them.

  • @theNittyGritty
    @theNittyGritty 4 роки тому +3

    As always, very nice summary and right on point with the priorities.

  • @sjorsborsoborsobors
    @sjorsborsoborsobors 4 роки тому +1

    Always great and clear lessons with good examples. Thank you Sam!

  • @ourcore
    @ourcore 4 роки тому +1

    Very helpful. I literally watched his previous video on form best practices a few days ago

  • @vasiovasio
    @vasiovasio Рік тому +1

    Unfortunately, autocomplete="email" does not work every time, and Chrome saves Only the password with a blank first field.
    The solution for this case is to use autocomplete="username", id for the input type is username too, and the name of the field is still email - it is not needed to change it to a username.

  • @sujitjoshi1240
    @sujitjoshi1240 4 роки тому +2

    Im not sure about OAuth logins. Many people I know save their passwords either in browser or password managers. So there is really no need to use FB or Google. Also creating accounts is super easy these days, it's a one time thing and I get to save different, strong password across websites.

  • @enebz3746
    @enebz3746 3 роки тому +1

    The dislikes are companies that don't follow theese tips...

  • @VarunGupta3009
    @VarunGupta3009 4 роки тому +5

    Please tell this to my bank. All accounts I've had in multiple banks want me to set a new password every week, and don't support pasting or autofill!!! They even log me out every time I close the app. I need to handle family accounts and it's so frustrating.

    • @Manivelarino
      @Manivelarino 4 роки тому +1

      For a bank this is reasonable. For a blog page it's too much. They are trying to prevent other people on a shared device from accessing your account.

    • @VarunGupta3009
      @VarunGupta3009 4 роки тому

      @@Manivelarino Exactly what TPM is built for, isn't it? Almost all Password Managers are definitely complemented with a second factor verification, either with TPM, FIDO, or a Pin at the least. But what they have accomplished isn't usable security. If they still would like to claim otherwise, why do they use OTPs and simple button confirmation for transactions? Even that is critically a shared-device issue, isn't it?

    • @Manivelarino
      @Manivelarino 4 роки тому +1

      @@VarunGupta3009 Yea enforcing those measures only on untrusted devices and allowing the user to use a password manager definitely seems like the way to go. Making things too hard to use doesn't make them safe.

    • @VarunGupta3009
      @VarunGupta3009 4 роки тому

      @@Manivelarino Exactly. I hope they realise this soon.

  • @Khalyomede
    @Khalyomede 3 роки тому +1

    Thank you so much for this gold mine pack of information!

    • @samueldutton
      @samueldutton 3 роки тому +1

      Thank you - much appreciated!

  • @sujitkumarsingh3200
    @sujitkumarsingh3200 3 роки тому +1

    Great tips. Thank you

  • @DenisTRUFFAUT
    @DenisTRUFFAUT 4 роки тому +1

    'françoise'.match(/[\p{L} ]+/gmu) -> ["françoise"]
    '𒀀𒀃𒀆𒀟𒈫𒇺𒌐𒉺'.match(/[\p{L} ]+/gmu) -> ["𒀀𒀃𒀆𒀟𒈫𒇺𒌐𒉺"]
    It requires the u (unicode) modifier

    • @browsermage
      @browsermage 3 роки тому

      I will copy and paste that in my terminal and see what happens

  • @tonimaunde
    @tonimaunde 3 роки тому

    So good. Thank you, Sam.

  • @Josh-bp1km
    @Josh-bp1km Рік тому

    How do you transmit password in non-plain text ? It “sounds” secure but almost impossible to do using a client/server architecture.
    Storing hashed/salted password on the server is a no brained and fairly straightforward after receiving it in plain text from the client.
    Can anyone explain how this should be done properly ?

  • @AlexandreAlonso
    @AlexandreAlonso 4 роки тому +1

    how the .well-known/changepassword need to do?

  • @petropzqi
    @petropzqi 4 роки тому

    Grid inspect please.

  • @sharukh7860
    @sharukh7860 4 роки тому +1

    2:20 why do they still use var? Am I missing something?

    • @tommysingh7546
      @tommysingh7546 3 роки тому +1

      Could be transpiled code? const/let/var gets transpiled to var after transpiling.

    • @Amelia-st5ci
      @Amelia-st5ci 3 роки тому

      The bigger picture idea behind these naming conventions is that let/const are as benefit to you as a programmer while writing as a means to distinguish scope and intention, to self document through clearer semantics, and though these, you're able to check yourself before making mistakes such as reassigning something never meant to be reassigned. In addition you'll create more readable code that others will appreciate in the future. If you optimize code for machine/computer - you may notice that these are removed and replaced with "var" -- partly for compatibility with older browsers, partly because the machine/computer doesn't care. In this example, "var" is used for educational readability. Many viewers will quickly recognize "var" as variable even if coming from another language background, whereas "let" or "const" may confuse some viewers and require additional explanation.

    • @samueldutton
      @samueldutton 3 роки тому +1

      Gah! I copied and pasted some old code and totally missed this. Thanks for the heads-up. I may have to re-edit :).

  • @trappedcat3615
    @trappedcat3615 4 роки тому +4

    Ha, anyone else read "Sign-up for best practices"? Sign me up!

  • @redaloui
    @redaloui 3 роки тому +2

    Yes indeed, make it so easy to change password, exactly like google account 😶😶😶

  • @alih84411
    @alih84411 4 роки тому +1

    👍👍👍

  • @evacserna2281
    @evacserna2281 3 роки тому

    Okay

  • @abderrahmanben8915
    @abderrahmanben8915 3 роки тому

    new-password doesn't work for me

  • @mountainslopes
    @mountainslopes 3 роки тому

    @twilio watch this please. 🤦🏻‍♂️

  • @TheSnHIMshow
    @TheSnHIMshow 3 роки тому +1

    pwned is pronounced owned🤷🏾‍♂️