And whoever came up with the idea of putting email on one page and password on another: You suck.
I can never get my password manager to handle that proper. WTF is even the point?
this post was submitted on 29 Jul 2025
871 points (99.9% liked)
196
4037 readers
2242 users here now
Community Rules
You must post before you leave
Be nice. Assume others have good intent (within reason).
Block or ignore posts, comments, and users that irritate you in some way rather than engaging. Report if they are actually breaking community rules.
Use content warnings and/or mark as NSFW when appropriate. Most posts with content warnings likely need to be marked NSFW.
Most 196 posts are memes, shitposts, cute images, or even just recent things that happened, etc. There is no real theme, but try to avoid posts that are very inflammatory, offensive, very low quality, or very "off topic".
Bigotry is not allowed, this includes (but is not limited to): Homophobia, Transphobia, Racism, Sexism, Abelism, Classism, or discrimination based on things like Ethnicity, Nationality, Language, or Religion.
Avoid shilling for corporations, posting advertisements, or promoting exploitation of workers.
Proselytization, support, or defense of authoritarianism is not welcome. This includes but is not limited to: imperialism, nationalism, genocide denial, ethnic or racial supremacy, fascism, Nazism, Marxism-Leninism, Maoism, etc.
Avoid AI generated content.
Avoid misinformation.
Avoid incomprehensible posts.
No threats or personal attacks.
No spam.
Moderator Guidelines
Moderator Guidelines
- Don’t be mean to users. Be gentle or neutral.
- Most moderator actions which have a modlog message should include your username.
- When in doubt about whether or not a user is problematic, send them a DM.
- Don’t waste time debating/arguing with problematic users.
- Assume the best, but don’t tolerate sealioning/just asking questions/concern trolling.
- Ask another mod to take over cases you struggle with, if you get tired, or when things get personal.
- Ask the other mods for advice when things get complicated.
- Share everything you do in the mod matrix, both so several mods aren't unknowingly handling the same issues, but also so you can receive feedback on what you intend to do.
- Don't rush mod actions. If a case doesn't need to be handled right away, consider taking a short break before getting to it. This is to say, cool down and make room for feedback.
- Don’t perform too much moderation in the comments, except if you want a verdict to be public or to ask people to dial a convo down/stop. Single comment warnings are okay.
- Send users concise DMs about verdicts about them, such as bans etc, except in cases where it is clear we don’t want them at all, such as obvious transphobes. No need to notify someone they haven’t been banned of course.
- Explain to a user why their behavior is problematic and how it is distressing others rather than engage with whatever they are saying. Ask them to avoid this in the future and send them packing if they do not comply.
- First warn users, then temp ban them, then finally perma ban them when they break the rules or act inappropriately. Skip steps if necessary.
- Use neutral statements like “this statement can be considered transphobic” rather than “you are being transphobic”.
- No large decisions or actions without community input (polls or meta posts f.ex.).
- Large internal decisions (such as ousting a mod) might require a vote, needing more than 50% of the votes to pass. Also consider asking the community for feedback.
- Remember you are a voluntary moderator. You don’t get paid. Take a break when you need one. Perhaps ask another moderator to step in if necessary.
founded 6 months ago
MODERATORS
Usually it's because some chucklefuck put SSO in the requirements so now everyone has to suffer so that SSO users get their redirect before being shown a password field.
Sometimes though it's an absolutely braindead web designer who definitely doesn't have SSO as a requirement but has no idea what he's doing and is just doing the mr-bean-cheating-on-a-test.gif and copying their Microsoft login form.
I came to the comments to post this exact complaint. I’m sure it’s considered more secure somehow, (maybe to prevent autofill attacks?) but at least code your fields properly so my password manager can auto detect the username field.
Also, phone number/ZIP code fields that pull up the full keyboard on mobile, instead of just the number pad. There’s no reason to show the entire keyboard, and phones have the ability to detect what kind of input the field wants… But website devs don’t bother coding their fields properly for numbers only, so the phone pulls up the full keyboard by default.
Lastly, 2FA fields that break paste. Like when it’s asking for a 6-digit TOTP code, and the field is actually broken up into two 3-digit fields instead.
in the uk post codes have letters
countries with alphanumerical postal codes exist, so unless you are 100% sure, that your service won't be used by someone from such a country, you'd better allow alphanumerical inputs in your postal code field. Addresses in general are tricky, because they work different across the globe, for example house numbers are not a thing everywhere, hell i am not sure if streetnames are a thing everywhere.
Feels like a security issue to me. You could put in literally anyone's email address on a site that does this and immediately know if they have an account there or not. Even if you don't know their password, you know something new about that person.
I feel you on all these other ones too. There's a lot of UI/UX designers out there that need to be barred from that field forever.
its because of SSO. if your company signs up for something that implements SSO then the tool will need your mail, recognizes that you‘re from company X, and forward you to yoir companys login page so ot can get an auth token
Github doesn't use two screen login but also still works with sso.
Yes, this, but I don't think just for organization's login pages. The email may also lead to a google sign in (for example) or some other single sign on (SSO). The site you are on needs to know the email to decide what to show next to continue the log in process.
That said, web devs should be coding the fields correctly.
load more comments
(1 replies)
Auto fill attacks is a weird way of saying password managers. You know. Those things that make it easier to use good password practices and be more secure.
load more comments
(2 replies)
load more comments
(1 replies)
In all seriousness, I'm hating this latest trend where you click the "login" button (page refresh 1) and they ask if you want to use a one time code or password, and I use a password manager like a functioning adult, so I click "password" (page refresh 2, could have already been logged in by now) and THEN I get to input my password (page refresh 3) and then they're like "y'know what, we're gonna send you a one-time code anyway" (page refresh 4) so I have to retrieve that and finally get to login on page FIVE.
We used to be a proper Internet.
Then the chucklefucks manage to have the worst backend security imaginable and all your data gets breached in a leak anyway but they make their security look really impressive to customers so for six glorious months they created Shareholder Value and the c-suite already took their golden parachutes.
Most grievous mistake designers make is assume the attacker will take the front door and pick the lock instead of breaking a window, walking though the hole in the fence and taking the side door or just walk though the other side, where literally the whole wall is missing.
But at least you have a padlock, a deadbolt, a high security door lock, a chain link, a nest AND a ring camera,
Fuck ring cameras, they’ve given blank access to their cameras and footage to police departments in the US, users have no option to block this.
I mean yeah, I don't think that commenter was pro-ring cameras...
No, but I feel the need to make people aware that ring cameras are surveillance devices for cops at every opportunity.
I'm most impressed by how little Mangione was on cameras in New York. Yeah they got a bunch of pics, but like there are rin cameras EVERYWHERE. Escaping crimes is hard if the police actually care.
load more comments
(1 replies)
Here, take this random string my password manager made
don't forget the "install our app to make the next login faster" interstitial after you press "login". can you really claim they don't care about how painful their login process is when they've gone out of their way like that to provide you with a less painful option??
I was confused recently at a border post marked "Passport control". I had it ready, but the guard asked for my driving licence. While I was fishing for that he breathalysed me, which came back clean so he said I could go - without having seen either my passport or driving licence.
Don't trust any website that asks for your bones.
It's secretly run by the rambling gambling skeletons. No one wants to play euchre anymore, so they had to take a different angle.
I'm not afraid of some punk ass rambling gambling skeletons. I just beat an evil fucking wizard to death with a tire iron and stole his shit. I'll cast fireball on those overactive boney bois.
- it's a beautiful day outside.
malicious rattling begins in the distance
Watch out! There is a skeleton inside of you too
that one's on my side. I pay it in calcium.
I once signed up and gave the website bone permissions.
When I realized my mistake I deleted my account immediately, but they got my shin bone.
Shout out to
<>
Uname:
Pword:
Or sign in with [Gargle] [Equis] [Fightbook]
Don't have an account? [Sign up here!]
"i really like this thing where websites will have separate “log in” & “sign up” buttons and if you click “log in” it takes you to a sign-up screen anyway so you have to click “i already have an account
I used to wonder if I clicked the wrong thing but this is so fucking common that I just assume the website is designed by idiots who can't use a single button for the same thing.
The PM insists that there be separate buttons labeled thusly and that they do the exact same thing
In my experience it’s been because the login app was done by a different team than this web app and this PM promised that they could save time by reusing the old code.
load more comments
(1 replies)
Found my spirit animal.
Do you want my facial recognition?
*Sobs in UK*
You can literally just google "driver's license uk" and put it in and it works, according to a random reddit comment.
Also shout out to front end js libraries that hijack and discard familiar default page rendering behavior in favor of asserting their own arbitrary, untrustworthy, and inferior render behaviors that break completely outside of chrome browser or with any extensions running, gotta be my least favorite gender.
Like how so many sites just fuckin come to a dead stop and reload completely if you click literally anything because the developer didn't follow React design philosophy perfectly. Thanks a million, Facebook, so cool so cool.
do you want to give us your phone number for future sign-ins?
Urgh, that's probably the worst part.
I don't mind mail-based 2FA. However, since I see "random sites have your phone number" as a bigger threat than "skript kiddo might hack your password", if the 2FA must use my phone number, I'll genuinely think if I really need an account in that site, and probably give up.
All sites should support TOTP, fuck email/sms OTPs, and especially fuck sites that think being "passwordless" but sending a code to my email is secure.
I believe it's called enshittification
It's shitty, but it's not "enshittification".
Doctorow's explanation goes
Here is how platforms die: first, they are good to their users; then they abuse their users to make things better for their business customers; finally, they abuse those business customers to claw back all the value for themselves. Then, they die. I call this enshittification
What the OP describes is just obnoxious design. To be enshittification it should be a change from better UX to worse and the change should be an attempt by the site to grab some extra cash.
Twitter requiring an account to see replies to a tweet is an example--they're trying to juice their user-count.
You’re not actually giving the website access to your fingerprint or other biometric information by doing that. That’s all handled on your device which then sends a verification message.
Yup.
Using fingerprint/face recognition to access your device is questionable depending on your concern level, since the thing being accessed is right next to the thing that gives you access.
Having that same device know how to recognize those same features so it can use them to access a local system that is used to unlock something far away very securely is unquestionably good. An attacker is very unlikely to have both your phone and your thumb while trying to access your bank account.
And if they do have access to both, you've probably got bigger problems at the moment
load more comments
(1 replies)
What kind of website are those people using? 🥀
Not as bad as the log in button taking you to the sign up page, but my local library's site has a "log in" button that, when you click it, brings up "log in" and "sign up" options on a CSS drop down (though I'm sure they use javascript, just because why do it the easy, safe way). You literally have to click "log in" twice to get to the log in page.
Yeah fuck that
Well the bones are their money, so it makes sense.
Everytime that I have to log in to facebook because I need to do something for someone I said to them "wait, facebook's gonna ask me for a fecal sample"
and when they do people will literally bend over for it.
view more: next ›