tags:

views:

60

answers:

3
+1  Q: 

Pros / Cons displaying list of users at login page

We seem to have a lot of clients asking us to change the login screen in this manner:

  1. Display a list of all available users (thumbnail picture + name)
  2. User selects a username from the list
  3. A password prompt appears near the username
  4. User enters password then presses enter

This sounds remarcably similar to the Windows XP login, which is probably where they got the ideea in the first place. There are only about 4 - 5 different users that can login at any given station, so implementing that list on one screen is feasable.

So I was wondering if there are any usability experts with some word on this method of login. As far as I can tell, MS droped this behaviour in Vista/Win7, didn't they?

+2  A: 

The downside of this approach is that it exposes the list of valid usernames to anyone who can access the login page. And also, as you've hinted at, it isn't very scalable to a large number of users. However if you've got an internal application with only a small number of users then it probably is a usability improvement. Alternatively, you could just implement a "remember me" feature so that a user's name was remembered and they just need to enter a password when they return to the application.

mikej  2010-06-18 07:07:16
A: 

From a security perspective, this sounds like a bad idea. Your username is one of the unique pieces of information that identify you. Granted, with such a small group, most people already know each other's username, but still, I would think at least 2 pieces of personal info (username, password) should be required to login.

Traveling Tech Guy  2010-06-18 07:09:09
Every time I send an email I give out my username, every time I post on a form I give out my user name, every time I lock my computer my username is displayed on the screen. On shared unixs box ls /home lists all the user names on that machine. Username is public information and should not be considered secret unless it is truly secret, never entered in plan text, never displayed, never stored in plan text, one-way hashed in the DB, not predictable or guessable, not based on the users name. 99.99% of the time usernames meet none of these standards and therefore should not be considered secret.
David Waters  2010-06-18 07:26:44
One username does not, in itself, constitute a secret. But if I, a traveling consultant, arrive at your organization, and can - with a single glance - get the user names (and as you've pointed out) the emails of everyone in your organization - that's a security breach.
Traveling Tech Guy  2010-06-18 07:32:37
at my current job, my job before that and my job before that, in fact at all my jobs my email address is my name followed by my company name and my user name is my first initial then my last name, dwaters, by your standard name , plates on desks/office doors, business card, and introductions are security breaches. Every post on slashdot is a security breach. and the telephone book is the mother of all breachers. You can find me on linkedin, find all the people who are listed as working at the same company as me and see thier names, security breach. user names are not secret.
David Waters  2010-06-18 07:40:13
+2  A: 

Providing user names should not be a security issue, think of all the email sites (hotmail, gmail, yahoo) where the email address is the username.

As for usability this is far better then expecting a user to remember their login name especially for user who are infrequent or have a lot of different user accounts.

Please remember to advise users on how to pick a secure password, the weak/moderate/strong as you type color indication while setting the password is a great device for reminding users of the strength of their password.

Windows 7, while not part of a domain, still uses this approach.

While there are few enough users that they can all fit on a screen or a scrollable list this seems like a good idea. As you get more users you may want the option of select from the list or type user name here, style login.

David Waters  2010-06-18 07:18:24

related questions

What considerations should be made before reinventing the wheel?
Is "RTFM" counter-productive?
Best Way to Begin Learning Web Application Design
Non Public Members for C# Interfaces
Where is a good place to find a talented web designer?
How do you begin designing a large system?
Is Single Responsibility Principle a rule of OOP?
Looking for example of Command pattern for UI
Are there good resources on federated software?
Class designer
Resources on wordpress theme-development
Designing a Calendar system like Google Calendar
Design debate: what are good ways to store and manipulate versioned objects?
Good Resources for Relational Database Design
What are the best resources on designing a new language?
Personalized icon next to the URL address in the browser's address bar?
Generating Icon Files
Best WYSIWYG CSS editor?
MVC pattern question: Who has what? who calls what?
Javascript and PHP - Login Script with hidden buttons
Icons: How does a developer with no design skill make his/her application icons look pretty?
What are you using for Web UI/layout design?
What programs do you use to create graphic images?
Folders or Projects in a Visual Studio Solution?
How do you test layout design across multiple browsers/OSs?