IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [user-interface]

41 questions
51
votes
5 answers

Why do many websites hide input when entering an OTP?

I've noticed that on many sites, when they ask for a one-time password (OTP) (usually sent by SMS), the input is hidden in the same way as a password field is. My understanding is that once an OTP is used, then it is no longer useful for…
Robin Salih
  • 572
  • 4
  • 8
47
votes
4 answers

Is having the username and password fields on different pages more secure?

An online bank I use requires inputting your username, navigating to a second page and then entering the password to login. What actual security advantage does this provide, if any?
ThisIsNoZaku
  • 573
  • 1
  • 4
  • 6
34
votes
4 answers

Is it safe to show users why their password is not allowed?

/////////////////////////////// Updated Post Below //////////////////////////// This question has received a lot of hits, more than I ever thought it would have on such a basic topic. So, I thought I would update people on what I am doing. Also I…
Rixhers Ajazi
  • 489
  • 4
  • 9
32
votes
7 answers

Explain to non tech savvy person how to check that your connection to mybank.com is safe?

I was reading the security advice given by the Swedish Bankers' Association. They included these two pieces of advice (my translation), that I assume is to teach the user to check for SSL/TLS and protect from SSL-strip: Check that it is the…
Anders
  • 64,406
  • 24
  • 178
  • 215
28
votes
5 answers

Why do "Forgotten Password?" links generally reveal usernames or registered email addresses?

It seems that most sites or systems will just state Invalid username or password As a means to not reveal usernames for use in brute force (and other) attacks. Seems like a good idea as a general rule. However, many of them you can follow the…
RemarkLima
  • 445
  • 6
  • 17
23
votes
9 answers

Redirect to login page if authorization required -- security flaw?

Suppose we have a site that has public and private areas. The private areas require login. For example "www.site.com/about" is publicly accessible. But "www.site.com/message_inbox" requires authorization (valid login). So what happens when someone…
CaptainCodeman
  • 291
  • 1
  • 6
17
votes
8 answers

Should the requirement of admin privileges be extended?

Seeing this comic from xkcd.com made me thinking: Is extending the requirement of admin privileges to things such as connecting to the internet, running the web browser, reading browser and other software config files, etc, be something operating…
Alex
  • 819
  • 1
  • 7
  • 11
9
votes
1 answer

How to know the windows security dialog asking for username password is genuine?

I recently faced one issue. It appeared my outlook launched a dialog saying it needed password. It looked like this I noticed the "->" character in the domain name which usually it auto fills. Also the image it is showing is the default windows 7…
Ankush
  • 193
  • 5
9
votes
2 answers

Personal stylesheets

In reference to this question, I was researching whether or not there would be any security risks in letting users add their own stylesheets. He brings up a scenario in which a dev might use positions to replace the search and password field. If…
Meghan
  • 191
  • 4
6
votes
2 answers

What is the best way to show a (long) number for comparison?

How to represent visually a number (like a key or hash) on a screen for visual comparison with another representation of that number on another screen (or another window) in such way that it would be very hard for an adversary (who knows the correct…
curiousguy
  • 5,028
  • 3
  • 25
  • 27
5
votes
4 answers

Image file as password alternative

I seek guidance on interesting issue. Recently I've been searching for password alternatives, not because of the security, but to be more user-friendly. In one of my projects user receives 128 bits base64 encoded salt as security token, which could…
Damaged Organic
  • 159
  • 5
5
votes
1 answer

Can skeuomorphic UI design create security vulnerabilities?

Skeuomorphic design is common in desktop computer and mobile telephone applications. Sometimes interfaces and cues from the real world are used to good effect (swiping to move backwards and forwards in a eBook) and sometimes to terrible effect…
Cybergibbons
  • 1,191
  • 2
  • 8
  • 21
5
votes
4 answers

"Forgot my password page" best practice

On a "forgot my password" page, is appropriate when user doesn't have an account to display the message "this account doesn't exist"? Or in the interest of security, should I display a success message ("you received an email with a reset password…
nramirez
4
votes
2 answers

Obscure username input on login forms?

Not (necessarily) a duplicate of: Should both user ID and Password be masked for online banking? Definitely not a duplicate of: Should usernames be kept secret? I can sense your finger on the "mark as duplicate" button so first of all, let me…
gd1
  • 137
  • 6
4
votes
2 answers

Human or Bot: Behind the Scene Checks vs CAPTCHA

I'm working on a web app at the moment where we’re trying to remove any user friction and excess steps from our user creation page. To avoid computer bots completely spamming our app we need to have a some sort of CAPTCHA but this would take away…
LogiKal
  • 43
  • 4
1
2 3