Ondřej SurýDec 9
Repeat after me: Separating username and password fields on separate (fucking responsive) page WILL NOT INCREASE A FUCKING SECURITY IN ANY WAY! IT WILL JUST MAKE THE PASSWORD MANAGERS TO WORK WORSE AND THUS IT WILL FUCKING DECREASE THE SECURITY!!!
Show threadCMDR Yojimbosan 🅅⁂Dec 9
@ondrej One reasonable possibility for the pattern is systems that implement SSO login flows for *some* users, and they don't want an SSO-bound user to spend time worrying about inputting a password that may indeed not exist.
They need to evaluate the username to decide whether to prompt for a password at all.
Which password managers are causing you problems?
Show threadmr64bit
@yojimbo @ondrej agreed, I'm sure that's why most of them do it.
But I had a professor during college that was absolutely adamant it was to prevent SQLI
Dec 9 at 6:34pmWeb
Show threadCMDR Yojimbosan 🅅⁂Dec 9
@mr64bit @ondrej I think it's pretty much an established fact that the way to prevent injection attacks is to correctly parse and handle/quote user input to ensure it doesn't get mixed in with the logic/control flow, not to split a form over multiple pages :-)
Perhaps they're also "helping" the AI/LLM people with their injection "problems" :-)