Most active commenters

    ←back to thread

    Windows NT on 600MHz machine opens apps instantly. What happened?

    (twitter.com)
    752 points dceddia | 21 comments | 23 Jun 23 14:02 UTC | HN request time: 0.953s | source | bottom
    Show context
    verall ◴[23 Jun 23 14:36 UTC] No.36447353[source]
    A lot of people are bringing up Wirth's law or other things, but I want to get more specific.

    Has anyone else noticed how bad sign-on redirect flows have gotten in the past ~5 years?

    It used to be you clicked sign in, and then you were redirected to a login page. Now I typically see my browser go through 4+ redirects, stuck at a white screen for 10-60 seconds.

    I'm a systems C++ developer and I know nothing about webdev. Can someone _please_ fill me in on what's going on here and how every single website has this new slowness?

    replies(16): >>36447462 #>>36447463 #>>36447473 #>>36447749 #>>36447944 #>>36448057 #>>36448342 #>>36448778 #>>36448926 #>>36448930 #>>36449089 #>>36449478 #>>36450517 #>>36450908 #>>36453785 #>>36460900 #
    1. billyjobob ◴[23 Jun 23 15:00 UTC] No.36447749[source]
    A lot of sites now don't even a "sign in" now. You only have a large "sign up" button, which you have to click, and then in very small text at the bottom of the sign up screen find the link for "already have an account?"
    replies(6): >>36447938 #>>36447967 #>>36448629 #>>36448826 #>>36449810 #>>36453286 #
    2. verall ◴[23 Jun 23 15:11 UTC] No.36447938[source]
    I haven't figured this one out either - why show the user how difficult it will be to use before they sign up? That's supposed to be for after.
    3. Solvency ◴[23 Jun 23 15:13 UTC] No.36447967[source]
    Don't you see? All that matters is those tasty conversions. They want your email. They want your conversion. What's that? You've converted already and want to login? Sorry, we've got more conversions to drive, can't be bothered.
    replies(2): >>36448072 #>>36448376 #
    4. ryandrake ◴[23 Jun 23 15:20 UTC] No.36448072[source]
    I worked with a designer that actually told me this un-sarcastically. "My KPI is signups, not logins. Bury the login link. Existing users don't move the metric."

    Metrics-based and KPI-based software development has ruined quality for decades.

    replies(3): >>36449045 #>>36454506 #>>36460910 #
    5. guestbest ◴[23 Jun 23 15:38 UTC] No.36448376[source]
    I wish sites only wanted email. Mostly they want to integrate with Google, Facebook and require a phone number.
    replies(1): >>36449001 #
    6. r00fus ◴[23 Jun 23 15:54 UTC] No.36448629[source]
    I guess you’re supposed to bookmark the deep link that goes to your dashboard then let it send you to the Interstitial login page.

    Bad UX though.

    7. cpeterso ◴[23 Jun 23 16:08 UTC] No.36448826[source]
    Web UX designers need to find some alternative button label that users understand means both “Sign up” and “Sign in”. The site will know if your email address has an account and should then be asked does a password. Though users will still complain that the login process requires two steps: entering a username and then the backend determining whether to next serve a password or registration form.
    replies(2): >>36450944 #>>36478151 #
    8. nerdponx ◴[23 Jun 23 16:20 UTC] No.36449001{3}[source]
    I'm waiting for the day when we see an article about some government tax or bill-pay portal that only works with Facebook and Google login, no email.
    replies(2): >>36449589 #>>36451009 #
    9. Tade0 ◴[23 Jun 23 16:23 UTC] No.36449045{3}[source]
    I've split tickets into smaller chunks because the number of tickets closed was my KPI at the time.

    It's dumb and current me would just say that out loud and not participate in this circus.

    replies(1): >>36464721 #
    10. guestbest ◴[23 Jun 23 17:06 UTC] No.36449589{4}[source]
    If you want to even more dystopian, imagine every separate account is taxed on every forum/chat apo and failure to report is tax fraud.
    11. pessimizer ◴[23 Jun 23 17:26 UTC] No.36449810[source]
    Nobody wants you to ever turn a device off, or to ever log out of a website.
    12. guntars ◴[23 Jun 23 19:06 UTC] No.36450944[source]
    Needing a bunch of JavaScript to make it work, which will get bungled by the devs and break it for people using password managers, making the thing even worse. Login is such a common pattern that it should be just handled by the browser.
    replies(1): >>36452406 #
    13. Nextgrid ◴[23 Jun 23 19:12 UTC] No.36451009{4}[source]
    There are already some essential services that use ReCaptcha and require you to be stalked by Google and be on good standing with them.
    14. cpeterso ◴[23 Jun 23 21:30 UTC] No.36452406{3}[source]
    Good point. It's unfortunate that HTTP Auth never become popular. I don't know if that was because the browser support or UX was bad or if web developers wanted more control over their sites' login flow or user information required.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentica...

    replies(1): >>36461961 #
    15. phist_mcgee ◴[23 Jun 23 22:51 UTC] No.36453286[source]
    Guilty of implementing this exact thing only the other month.

    "We" just assume that anyone who has already signed up will always be signed in.

    replies(1): >>36462011 #
    16. esafak ◴[24 Jun 23 01:28 UTC] No.36454506{3}[source]
    This is what happens when you strongly tie promotions to metrics. Make sure you have the right ones, or don't do it. Left to his own devices, the designer would probably have done the right thing. It takes a bad incentive to make someone do something like this.
    17. immibis ◴[24 Jun 23 17:46 UTC] No.36460910{3}[source]
    "Whatever you measure will improve. This is a warning."
    18. efreak ◴[24 Jun 23 19:34 UTC] No.36461961{4}[source]
    The problem is that you have a few options:

    1. send in plain text with http basic auth. Over https this isn't a problem, but https was expensive). This is sent on every request. 2. Use digest. This is also sent on every request, and also requires actual processing, at which point you might as well go for 4 so it looks nice. 3. Use certificates. Nobody does this on the pubic web. The only website I've ever used certificates was whatever certificate site predated let's encrypt, can't remember the name at the moment, and as someone who doesn't use client certificates it was a huge pain (blame that on the browsers though) 4. Use a form on the website with a session token, and you get control over the UI including error messages and styling. Much more user-friendly. You can trivially prevent the user from (easily) sending requests with pain text passwords by only showing sensitive pages like login over https. The user can't bookmark or share a URL with a password embedded in it. You can request more information than just username and password (Bank: do you want to see your checking account or savings account? Forum: go back to previous page or to homepage? SSO-ish (DayForce): what's the name of the org you're signing into?)

    19. efreak ◴[24 Jun 23 19:39 UTC] No.36462011[source]
    My mother signs out of her email every time she closes it, and does the same for other websites as well. She's the only one who uses her computer, and it has a password on it (mostly because Windows won't do file sharing without one). She still refuses to stay signed in.

    Not everyone wants to stay logged in, and not everyone uses a single browser; I occasionally use the wrong browser profile for something because I cbf loading up the correct one; in these cases I usually load the website in a private browsing tab to avoid container/addon settings interfering. When I can't log in easily, I get quite annoyed.

    20. mikrotikker ◴[25 Jun 23 02:44 UTC] No.36464721{4}[source]
    Reminds me of those explorers who paid the natives for every dinosaur bone they turned in, only to be horrified when they realized the natives were breaking the bones into as many pieces as possible to collect as much currency as possible.
    21. account42 ◴[26 Jun 23 11:04 UTC] No.36478151[source]
    Congratulations, you have just designed a leak that attackers can use to determine who has signed up to your website.