View Issue Details

IDProjectCategoryView StatusLast Update
0023691mantisbtauthenticationpublic2020-08-11 17:21
Reporterhanno Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Product Version2.8.0 
Summary0023691: New login UI is needlessly more complex and prevents use of password managers
Description

Since a few versions Mantis has a new login form that has two disadvantages compared to the old one.

  1. The entry field for the username and password are now separate steps and on different pages. This is needlessly complex and particularly on a slow internet connection makes logging in take longer.

  2. The Chrome password manager doesn't recognize the login, thus making it impossible to store the password. The use of password managers is a widely recommended security practice and preventing the use of password managers should be considered bad for security.

I haven't found any announcement or justification of the new login, but it feels to me it has only disadvantages. I'd propose to revert the changes, but if they're intentional I'd ask for an explanation.

TagsNo tags attached.

Relationships

has duplicate 0026296 closedatrol Combine the login screens to create a 'normal' one-page login screen 
related to 0024896 closedcproensa Password managers don't work with password login page 

Activities

cproensa

cproensa

2018-03-10 14:28

developer   ~0059155

I haven't found any announcement or justification of the new login, but it feels to me it has only disadvantages. I'd propose to revert the changes, but if they're intentional I'd ask for an explanation.

User login is detached from the authentication method. If the user needs a password authentication, then the password page is shown, otherwise the login authentication could be performed by another method that does not require a password form.

The use of password managers is a widely recommended security practice and preventing the use of password managers should be considered bad for security

Preventing it was not an intentional change

The Chrome password manager doesn't recognize the login

Seems like the browsers have some methods to "guess" which inputs are part of a user/password login. I think that the problem is that they don't match the username form input because it's type is hidden
At least that's what i understand from reading about Firefox password manager.

Alex K

Alex K

2018-03-11 16:23

reporter   ~0059166

For the password manager KeePass, the following auto-type sequence works for me: {USERNAME}{ENTER}{DELAY 500}{TAB}{PASSWORD}{ENTER}

However, this is not a very good solution because it assumes that the password form is displayed within 500 ms after pressing enter on the user name form. This might fail if the server experiences heavy loads or the internet connection is too slow.

While I understand the conceptual benefits with respect to a more flexible authentication system, I would also prefer to have an option to return to the old single-page login form.

rogueresearch

rogueresearch

2019-03-18 16:36

reporter   ~0061700

+1 for me for going back to the old single-page login form.

atrol

atrol

2019-11-01 09:02

developer   ~0063048

Mentioned by @dregad 0026296:0063024

The 2-step login process was introduced to allow for 3rd party authentication via plugins. @vboctor authored this and can provide more information.

martin.fernau

martin.fernau

2019-11-19 06:21

reporter   ~0063112

I'm also looking forward to have the "old" and widely used "best practice" to have the username and password in one form.
Beside mentioned disadvantages I had a bad experience with the actual login process: During a demonstration presenting mantis a larger audience I mistyped my password resulting in an error during the login. My intuitive action was to just retype my password. Admittedly I didn't looked closely on the screen just before I retyped my password. The result was that I typed in my password in the username field and showing my password the whole audience because mantis starts over with the username in case of an authentication error.

grante

grante

2019-12-20 21:53

reporter   ~0063325

Single-page login?

Yes, please!

The new two-page approach is a pain for people who use password managers.

cas

cas

2020-07-19 06:46

reporter   ~0064169

What I am missing here is the fact that it has not been made optional.
Would have been easy to implement this based upon a configuration value, perhaps the devs cantake such a solution in consideration?

Starbuck

Starbuck

2020-08-11 17:21

reporter   ~0064256

I use this sequence in KeePass for some sites:

{DELAY=60}{HOME}+{END}{UserName}{ENTER}{DELAY 1000}{HOME}+{END}{Password}{ENTER}

This sequence takes much more time but it is much more detailed and never fails.

{DELAY=80}{HOME}+{END}{DELAY 500}{UserName}{DELAY 1000}{ENTER}{DELAY 4000}{HOME}+{END}{DEL}{DELAY 500}x{HOME}+{END}{DEL}{DELAY 500}{Password}{DELAY 1000}{ENTER}