Why not attempt login when email already taken?

47 views
Skip to first unread message

Stefan Wrobel

unread,
Apr 10, 2013, 6:33:19 PM4/10/13
to plataforma...@googlegroups.com
From a user perspective, it's pretty frustrating if you end up on a registration form rather than a login form and input your known good email/password combination and get "email already taken" back, which then requires you to realize that you have to navigate to the login page and input your information again. Why not just attempt to create a session with the password provided if the email is already found to exist and only display an error if the password is incorrect?

I realize the answer is probably "every other authentication system does it this way" but I don't see any security risk here and it just makes sense(TM)

Daniel Waite

unread,
Apr 10, 2013, 7:28:11 PM4/10/13
to plataforma...@googlegroups.com
So do it.

Then see how it fares "in the market of ideas".


On Wed, Apr 10, 2013 at 3:33 PM, Stefan Wrobel <swr...@gmail.com> wrote:
From a user perspective, it's pretty frustrating if you end up on a registration form rather than a login form and input your known good email/password combination and get "email already taken" back, which then requires you to realize that you have to navigate to the login page and input your information again. Why not just attempt to create a session with the password provided if the email is already found to exist and only display an error if the password is incorrect?

I realize the answer is probably "every other authentication system does it this way" but I don't see any security risk here and it just makes sense(TM)

--
 
---
You received this message because you are subscribed to the Google Groups "Devise" group.
To unsubscribe from this group and stop receiving emails from it, send an email to plataformatec-de...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Stefan Wrobel

unread,
Apr 10, 2013, 7:47:12 PM4/10/13
to plataforma...@googlegroups.com
I've always rolled my own auth that way. Now I'm working on a project that uses devise and I figured I'd elicit some intelligent commentary on the subject. If you don't have anything to add besides "build it yourself" please don't reply.


--
 
---
You received this message because you are subscribed to a topic in the Google Groups "Devise" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/plataformatec-devise/6yh1A50MINw/unsubscribe?hl=en-US.
To unsubscribe from this group and all its topics, send an email to plataformatec-de...@googlegroups.com.

Daniel Waite

unread,
Apr 10, 2013, 8:28:25 PM4/10/13
to plataforma...@googlegroups.com
Oh, I'm sorry, did I offend you?

My impression, after reading your initial message, was that you had already convinced yourself that your suggestion was a "better way" to do things. Correct me if I'm wrong, but I didn't see any questions specific to how-or-where one might begin implementing such a feature within Devise.

The only question I do see is "Why not just..." which is about as inane as my response was.

I figured I'd elicit some intelligent commentary on the subject

Try starting with an intelligent question.

There, that's helpful, right?

Stefan Wrobel

unread,
Apr 10, 2013, 8:31:01 PM4/10/13
to plataforma...@googlegroups.com
Here's my question in bold for anyone else who's interested in contributing: Why not just attempt to create a session with the password provided if the email is already found to exist and only display an error if the password is incorrect?

I'm interested in seeing if anyone has some legitimate security concern about this strategy or if it makes as much sense as I think it does.


On Wednesday, April 10, 2013 5:28:25 PM UTC-7, Daniel Waite wrote:
Oh, I'm sorry, did I offend you?

My impression, after reading your initial message, was that you had already convinced yourself that your suggestion was a "better way" to do things. Correct me if I'm wrong, but I didn't see any questions specific to how-or-where one might begin implementing such a feature within Devise.

The only question I do see is "Why not just..." which is about as inane as my response was.

I figured I'd elicit some intelligent commentary on the subject

Try starting with an intelligent question.

There, that's helpful, right?
On Wed, Apr 10, 2013 at 4:47 PM, Stefan Wrobel <swr...@gmail.com> wrote:
I've always rolled my own auth that way. Now I'm working on a project that uses devise and I figured I'd elicit some intelligent commentary on the subject. If you don't have anything to add besides "build it yourself" please don't reply.
On Wed, Apr 10, 2013 at 4:28 PM, Daniel Waite <rabbi...@gmail.com> wrote:
So do it.

Then see how it fares "in the market of ideas".
On Wed, Apr 10, 2013 at 3:33 PM, Stefan Wrobel <swr...@gmail.com> wrote:
From a user perspective, it's pretty frustrating if you end up on a registration form rather than a login form and input your known good email/password combination and get "email already taken" back, which then requires you to realize that you have to navigate to the login page and input your information again. Why not just attempt to create a session with the password provided if the email is already found to exist and only display an error if the password is incorrect?

I realize the answer is probably "every other authentication system does it this way" but I don't see any security risk here and it just makes sense(TM)

--
 
---
You received this message because you are subscribed to the Google Groups "Devise" group.
To unsubscribe from this group and stop receiving emails from it, send an email to plataformatec-devise+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
 
---
You received this message because you are subscribed to a topic in the Google Groups "Devise" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/plataformatec-devise/6yh1A50MINw/unsubscribe?hl=en-US.
To unsubscribe from this group and all its topics, send an email to plataformatec-devise+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
 
---
You received this message because you are subscribed to the Google Groups "Devise" group.
To unsubscribe from this group and stop receiving emails from it, send an email to plataformatec-devise+unsub...@googlegroups.com.

Danial Pearce

unread,
Apr 10, 2013, 8:40:56 PM4/10/13
to plataforma...@googlegroups.com
If implementing this, I would ajax it so that the user doesn't end up
filling in 1000 fields of registration form only to find they are
indeed already registered and gave the correct password.

I.e. after username/password is filled out on reg form, submit an ajax
request to test the authentication, and provide immediate feedback to
the user if authentication was successful. This should be relatively
simple to implement, but is IMO heavily specific to your needs. I
can't say I've ever had a user complain and say they weren't sure if
they were registered so went through the process twice.

As for security issues, yes if someone knew you were doing ajaxy style
authentication tests on the registration page, they could easily
dictionary that or whatever. Use of the "lockable" module in this case
would have to be pretty careful.
>>>>> an email to plataformatec-de...@googlegroups.com.
>>>>>
>>>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to a topic in the
>>>> Google Groups "Devise" group.
>>>> To unsubscribe from this topic, visit
>>>> https://groups.google.com/d/topic/plataformatec-devise/6yh1A50MINw/unsubscribe?hl=en-US.
>>>> To unsubscribe from this group and all its topics, send an email to
>>>> plataformatec-de...@googlegroups.com.
>>>>
>>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "Devise" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to plataformatec-de...@googlegroups.com.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>>
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Devise" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to plataformatec-de...@googlegroups.com.
>>>>> an email to plataformatec-de...@googlegroups.com.
>>>>>
>>>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to a topic in the
>>>> Google Groups "Devise" group.
>>>> To unsubscribe from this topic, visit
>>>> https://groups.google.com/d/topic/plataformatec-devise/6yh1A50MINw/unsubscribe?hl=en-US.
>>>> To unsubscribe from this group and all its topics, send an email to
>>>> plataformatec-de...@googlegroups.com.
>>>>
>>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "Devise" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to plataformatec-de...@googlegroups.com.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>>
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Devise" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to plataformatec-de...@googlegroups.com.

Soren Christensen

unread,
Apr 10, 2013, 9:23:37 PM4/10/13
to plataforma...@googlegroups.com

Giving anyone a way to validate if an email is usable for login or not might be a good idea from a UI perspective.

But by doing so you cut your security system in half - so you two factor authentication is now a one factor authentication.

Once you have an email address that the system tells you it accepts all you need to do is guess the password and the account has been compromised.

my two cents - do not do it.

/S

Stefan Wrobel

unread,
Apr 11, 2013, 1:35:23 AM4/11/13
to plataformatec-devise
Soren,
The functionality you describe is already existing. Devise will tell you when attempting to register if an email is already taken.

Soren Christensen

unread,
Apr 11, 2013, 1:43:19 AM4/11/13
to plataforma...@googlegroups.com

We override that message to tell you that either the email or the password was incorrect. Never which component.

It never becomes right just because other people do it.
 
/S

Stefan Wrobel

unread,
Apr 11, 2013, 1:53:44 AM4/11/13
to plataforma...@googlegroups.com
Well this would be easy to implement in such a way that you would only get an indication of it being a valid account if both factors were correct (email & password), in which case you would be logged in. Otherwise you could get the error message you describe. I don't see them as being mutually exclusive.
Reply all
Reply to author
Forward
0 new messages