Skip to main content

On the privacy of online login forms inputs

A Twitter poll started by @MrPetovan asks in the context of online web forms whether login and password should be considered private or just the password. The three people who responded chose login and password.

I'm surprised but not shocked by this result. It seems to me that many people are confused about why online login forms have two fields but only one of them hides the input.

On one hand, if all the credentials are meant to be private, why not add a third or a fourth input field with more private stuff? This would be more secure, right? On the other hand, if someone is using a weak password, what is the likelihood their login is easily guessable as well?

I personally believe online login forms have two fields for two different kind of data: an identifier that shouldn't be considered private, because the password/phrase field is already there for that specific purpose. As a result, I fully support letting users fill the login field with as many different identifiers they can have, including email addresses and public usernames, because it is massively more convenient without compromising on security since there is a password.

#infosec #security

#security #infosec
Alexander
Alexander  
I have never seen a form with hidden username field. This hardly makes any sense - even in the case with username being "private" i.e. not visible by any third party during service operation.
Hypolite Petovan
Hypolite Petovan  
I agree, it doesn't make sense, but only if the login part of the credentials shouldn't be considered as private. I've raised the issue before, unsuccessfully, but I'm still not convinced of the benefits of considering the username private.
This entry was edited (4 years ago)
Alexander
Alexander  
I share your stance on this. Keeping login name private offers very little security and privacy benefit. It just isn't worth the inconvenience.

It even might be negative in certain cases - because most software products treat usernames as not private, they get cached, remembered in form suggestions, etc.
Alexander
Alexander  
Now I remember one bank where they required to change both password and username every two months.

It was super annoying :)
Rudolf Polzer
Rudolf Polzer  
I think you asked the question wrongly. My email address is known by many, yes. That doesn't mean I want an online forum to give my email address to everyone (e.g. on a user profile page). Similarly I would not want it to reveal my forum user name given my email address. Those two should be considered separate identities and the linkage should be seen as private.

Of course this has nothing to do with what the login form allows.
Rudolf Polzer
Rudolf Polzer  
In a way this means the email address should be considered private from a privacy perspective but it is a public identifier from a security perspective.

Privacy people call such info PII, personally identifiable information.
Hypolite Petovan
Hypolite Petovan  
@Rudolf Polzer Thanks for your feedback, you are right, there is a difference between privacy and security, but I was hoping the framing around credentials specifically would dispel the potential confusion. Still, you may be right, I still could have worded the question better.
@Rudolf Polzer