Why Do Login Dialogs Have a "User" Field?

In The Humane Interface, the late Jef Raskin asks an intriguing question: why do login dialogs have a "User" field?

Shouldn't login dialogs look more like this?

Login dialog without user field

And you know what? He's right. Your password alone should be enough information for the computer to know who you are.

As software developers, we constantly worry about edge conditions. So let's put our thinking caps on. Why can't this work?

  • The username adds security. We broadcast our username in every email we send. There's no security in a username. It's public information.
  • No two users could have the same password. Do we really want two users to have the same password? Doesn't that imply that the password is already fatally flawed? Enforcing password uniqueness seems like a net benefit for everyone involved.
  • Users can't choose simple passwords. Users should never be allowed to choose a simple password. Simple passwords aren't secure, even with a username/password combo. If we required users to create pass-phrases instead of single passwords, they'd be plenty unique, easier to remember, and more secure. Using password alone would encourage the choice of far better passwords than we could ever hope to get with a traditional username/password combination.

The more I think about this, the more I think username/password is simply a bad convention that nobody has sufficiently questioned. As Jef states:

When the idea of improving the interface to a website or a computer system by simplifying the sign-on process to require only a password is suggested, it is usually rejected on one of two grounds. Either the programmers say that's just not the way it's done, or they say that they have no control over the sign-on procedure. But someone, of course, does have that control.

It's time to take control by evangelizing pass-phrases and pushing to remove the user field from login forms.

Related posts

There is no longer any such thing as Computer Security

There is no longer any such thing as Computer Security

Remember “cybersecurity”? Mysterious hooded computer guys doing mysterious hooded computer guy... things! Who knows what kind of naughty digital mischief they might be up to? Unfortunately, we now live in a world where this kind of digital mischief is literally rewriting the world’s history. For proof of that, you

By Jeff Atwood ·
Comments
Hacker, Hack Thyself

Hacker, Hack Thyself

We’ve read so many sad stories about communities that were fatally compromised or destroyed due to security exploits. We took that lesson to heart when we founded the Discourse project; we endeavor to build open source software that is secure and safe for communities by default, even if there

By Jeff Atwood ·
Comments
Let’s Encrypt Everything

Let’s Encrypt Everything

I’ll admit I was late to the HTTPS party. But post Snowden, and particularly after the result of the last election here in the US, it’s clear that everything on the web should be encrypted by default. Why? 1. You have an unalienable right to privacy, both in

By Jeff Atwood ·
Comments

Welcome to The Internet of Compromised Things

This post is a bit of a public service announcement, so I'll get right to the point: > Every time you use WiFi, ask yourself: could I be connecting to the Internet through a compromised router with malware? It's becoming more and more common to see

By Jeff Atwood ·
Comments

Recent Posts

Stay Gold, America

Stay Gold, America

We are at an unprecedented point in American history, and I'm concerned we may lose sight of the American Dream.

By Jeff Atwood ·
Comments
The Great Filter Comes For Us All

The Great Filter Comes For Us All

With a 13 billion year head start on evolution, why haven’t any other forms of life in the universe contacted us by now? (Arrival is a fantastic movie. Watch it, but don’t stop there – read the Story of Your Life novella it was based on for so much

By Jeff Atwood ·
Comments
I Fight For The Users

I Fight For The Users

If you haven’t been able to keep up with my blistering pace of one blog post per year, I don’t blame you. There’s a lot going on right now. It’s a busy time. But let’s pause and take a moment to celebrate that Elon Musk

By Jeff Atwood ·
Comments
The 2030 Self-Driving Car Bet

The 2030 Self-Driving Car Bet

It’s my honor to announce that John Carmack and I have initiated a friendly bet of $10,000* to the 501(c)(3) charity of the winner’s choice: By January 1st, 2030, completely autonomous self-driving cars meeting SAE J3016 level 5 will be commercially available for passenger use

By Jeff Atwood ·
Comments