Sign-up form best practices

Рет қаралды 30,236

3 жыл бұрын

Help your users sign up, sign in, and manage their account details with a minimum of fuss.
Resources:
Sign-up form best practices → goo.gle/39ct4Q9
Speaker: Sam Dutton
Subscribe to Google Chrome Developers here → goo.gle/ChromeDevs
Watch all Chrome Developer Summit sessions here → goo.gle/cds20-sessions
#chromedevsummit #chrome #formbestpractice
event: Chrome Dev Summit 2020; re_ty: Publish; product: Chrome - General; fullname: Sam Dutton;

Пікірлер: 53

@novaria 3 жыл бұрын

This was great to listen to. Easily digestable and informative.

@samueldutton 3 жыл бұрын

Thank you!

@DenisTRUFFAUT 3 жыл бұрын

Federated logins and password managers are totally adapted when you want to reduce friction, but are not exactly E2E encryption friendly, nor Intelligence Agencies safe. Great summary by the way. Special Kudos for the "Do not ask users to change password", OWASP mention, unicode regexp.

@samueldutton 3 жыл бұрын

Thank you!

@samueldutton 3 жыл бұрын

Thanks Denis!

@mpoisot 3 жыл бұрын

I'd like to hear your comments on "security questions". It seems like every bank requires them.

@sjorsborsoborsobors 3 жыл бұрын

Always great and clear lessons with good examples. Thank you Sam!

@samueldutton 3 жыл бұрын

Thank you Sjors!

@theNittyGritty 3 жыл бұрын

As always, very nice summary and right on point with the priorities.

@samueldutton 3 жыл бұрын

Thanks Mirko!

@Oswee 3 жыл бұрын

The real elephant in the room is the Identity Providers who does the behavior tracking of my user base.

@marcframe7449 3 жыл бұрын

I never really realized that this could be an issue. I haven't been able to find a good source to read more on this. Do you have anything I could read?

@Oswee 3 жыл бұрын

@@marcframe7449 Just think of basic http request. How much info you can collect? Time, device, ip, location, regularity, etc, etc. On top of that how much users use this auth method. Why does this service exists? And for free. Just out of a good will? I don't think any of those providers will tell you what they do with this data behind the scenes.

@marcframe7449 3 жыл бұрын

@@Oswee ya I completely agree, the whole mantra "if you aren't paying, you're the product" is definitely true. I was just wondering if you knew of an indepth explanation of this. federated login is unfortunately wayyy too convenient, so I don't see this going away. I think that password managers are like half the way there, but the average user will still prefer a one click solution over the 3-5 clicks it takes for a password manager to create an account. Now that I think of it, I probably shouldn't even be using Chrome's built in password manager. I'd like to see these companies commit to not tracking the use of the federated identities, perhaps this will be something pushed by Apple with their identity provider.

@Oswee 3 жыл бұрын

@@marcframe7449 ... i have no any metrics... but... it could be interesting just to measure the new subscription rate increase when 3rd party provider is enabled vs when it is not. Stickiness. Churn... etc. I personally don't think that just this one option will increase user base/loyalty vs in-house auth. Or the difference will be insignificant. Thou... i need to make deeper research. Also... it all strongly depends on the app type. I mostly work in enterprise app space. If some day i will enable Google API... i will instantly loose all my customers. :) Can you imagine some bank enabling Google Oauth??? Or warehouse management system, etc. Or government Tax Office? I can't. For the low value products like endless ToDo lists, calendars, cat picture galleries, blogs and other time waster apps/pages it's probably OK to enable 3rd party Oauth as the whole business model is based on the advertisements.

@Cassp0nk 3 жыл бұрын

Apparently Facebook use this to monitor businesses who may be competitors and use it to either copy their products or buy them.

@ourcore 3 жыл бұрын

Very helpful. I literally watched his previous video on form best practices a few days ago

@samueldutton 3 жыл бұрын

Thanks - hope they're useful.

@sujitkumarsingh3200 3 жыл бұрын

Great tips. Thank you

@tonimaunde 3 жыл бұрын

So good. Thank you, Sam.

@Khalyomede 3 жыл бұрын

Thank you so much for this gold mine pack of information!

@samueldutton 3 жыл бұрын

Thank you - much appreciated!

@vasiovasio Жыл бұрын

Unfortunately, autocomplete="email" does not work every time, and Chrome saves Only the password with a blank first field. The solution for this case is to use autocomplete="username", id for the input type is username too, and the name of the field is still email - it is not needed to change it to a username.

@sujitjoshi1240 3 жыл бұрын

Im not sure about OAuth logins. Many people I know save their passwords either in browser or password managers. So there is really no need to use FB or Google. Also creating accounts is super easy these days, it's a one time thing and I get to save different, strong password across websites.

@VarunGupta3009 3 жыл бұрын

Please tell this to my bank. All accounts I've had in multiple banks want me to set a new password every week, and don't support pasting or autofill!!! They even log me out every time I close the app. I need to handle family accounts and it's so frustrating.

@Manivelarino 3 жыл бұрын

For a bank this is reasonable. For a blog page it's too much. They are trying to prevent other people on a shared device from accessing your account.

@VarunGupta3009 3 жыл бұрын

@@Manivelarino Exactly what TPM is built for, isn't it? Almost all Password Managers are definitely complemented with a second factor verification, either with TPM, FIDO, or a Pin at the least. But what they have accomplished isn't usable security. If they still would like to claim otherwise, why do they use OTPs and simple button confirmation for transactions? Even that is critically a shared-device issue, isn't it?

@Manivelarino 3 жыл бұрын

@@VarunGupta3009 Yea enforcing those measures only on untrusted devices and allowing the user to use a password manager definitely seems like the way to go. Making things too hard to use doesn't make them safe.

@VarunGupta3009 3 жыл бұрын

@@Manivelarino Exactly. I hope they realise this soon.

@AlexandreAlonso 3 жыл бұрын

how the .well-known/changepassword need to do?

@enebz3746 3 жыл бұрын

The dislikes are companies that don't follow theese tips...

@Josh-bp1km Жыл бұрын

How do you transmit password in non-plain text ? It “sounds” secure but almost impossible to do using a client/server architecture. Storing hashed/salted password on the server is a no brained and fairly straightforward after receiving it in plain text from the client. Can anyone explain how this should be done properly ?

@petropzqi 3 жыл бұрын

Grid inspect please.

@alih84411 3 жыл бұрын

👍👍👍

@DenisTRUFFAUT 3 жыл бұрын

'françoise'.match(/[\p{L} ]+/gmu) -> ["françoise"] '𒀀𒀃𒀆𒀟𒈫𒇺𒌐𒉺'.match(/[\p{L} ]+/gmu) -> ["𒀀𒀃𒀆𒀟𒈫𒇺𒌐𒉺"] It requires the u (unicode) modifier

@browsermage 3 жыл бұрын

I will copy and paste that in my terminal and see what happens

@sharukh7860 3 жыл бұрын

2:20 why do they still use var? Am I missing something?

@tommysingh7546 3 жыл бұрын

Could be transpiled code? const/let/var gets transpiled to var after transpiling.

@Amelia-st5ci 3 жыл бұрын

The bigger picture idea behind these naming conventions is that let/const are as benefit to you as a programmer while writing as a means to distinguish scope and intention, to self document through clearer semantics, and though these, you're able to check yourself before making mistakes such as reassigning something never meant to be reassigned. In addition you'll create more readable code that others will appreciate in the future. If you optimize code for machine/computer - you may notice that these are removed and replaced with "var" -- partly for compatibility with older browsers, partly because the machine/computer doesn't care. In this example, "var" is used for educational readability. Many viewers will quickly recognize "var" as variable even if coming from another language background, whereas "let" or "const" may confuse some viewers and require additional explanation.

@samueldutton 3 жыл бұрын

Gah! I copied and pasted some old code and totally missed this. Thanks for the heads-up. I may have to re-edit :).