Luke Wroblewski recently wrote about the new sign-in screen for Backcheck. In this latest rev, a user needs only to type in their name and a ajax search reply returns a listing of users matching what you’ve typed.
In addition, once you’ve selected your name, you can see whether you can log in via Facebook, Twitter, or default Bagcheck credentials.
Although I recognize the usability of this method, I also pause in trepidation. Users concerned with privacy may grow wary. All I have to do is type in a name, and I have a listing of potential users I can hack. I just have to click on names and try some commonly used passwords and I may have easily logged into another user’s account. Who knows what ill acts malicious users may have planned.
I like the added piece of security of needing to type in my username. This way people can’t browse my name wondering if I have an account there, and discover that I’m using Twitter as my login key. Please don’t simplify it for hackers to “stumble upon” my username, thus making it easy to try a password to break in to my account.
I’d like to acknowledge that Bagcheck is not a web application storing critical personal information, and those Bagcheck login credentials are not as “important”, per se, as Amazon or eBay or others of that ilk. Luke Wroblewski made reference to this fact in his comments on the aforelinked post, and Sam in the comments noted that most online applications share your publicly displayed username with your login name.
I do give reason for pause in seeing my real, full name in print without authorization, for other users to peruse. I feel a sense of security signing in with an email address or a username, along with my secure password.
I will echo a question that I proposed on twitter: Am I too paranoid for worrying about this?