I see this more and more lately: go to log in to some site, and they only show the username field. Enter username, click Submit, then a password field appears. Enter password, click Submit again, and then we’re logged in.

This makes using a password manager super annoying, because I have to trigger the autofill twice.

Is there some security-related reason more sites are doing this? Is it an anti-bot thing? I’m just really curious, because it seems so pointless on its face, but it seems to be spreading.

    • Riskable
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      There’s a million ways to authenticate a user. Passwords are just the simplest to code (poorly, haha) and deal with. You don’t even have to store the password (just a hash of it) which means you don’t need to encrypt your database to keep them secure which also means you don’t have to deal with decryption keys, key rotation, etc.

      With passwords you also don’t need to deal with 3rd party hardware or systems. You can handle it all right there in your code using methods that are so common and popular you can copy and paste them right out of StackOverflow (haha).

      Now as to, “how would you protect personal data?” That has nothing at all to do with passwords! Protecting personal data is an orthogonal concept to authentication.

      Protecting data–any data–is a very holistic thing: You have to do a threat assessment and figure out where your boundaries are and take measures to protect literally everything in order to prevent attackers from being able to get to it. Example: Attackers could get access to “personal data” by waltzing out of a data center with the correct server/hard drives in their arms. Passwords be damned!

    • dan@upvote.au
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Biometric (fingerprint, etc) or private keys via physical devices like Yubikeys.