Best practices for login pages?

Question

I am working on a single sign-on login page using Shibboleth that will be used for a variety of web applications. Obviously we would like to make this page as secure and usable as possible while limiting the effects of phishing scams.

What are the best practices to keep in mind when designing a login page?

Some questions that have come up around this issue:

• Is it important for the login page to always look the same on every display?
• Conversely, would it be beneficial for the login page to have a random design?
• Is it better for the login page to look the same as all of your other pages or should it have its own unique design?
• If the login page has its own unique design, should it incorporate other constant elements from your site's design (such as global navigation)?
• Is the login page an appropriate place to provide the user with additional content (such as latest news)?
• Are there any additional security features that should be included to help keep people safe?

Answer 1

Usability notes:

Personally I hate when sites put the "forgot password" or "forgot username" or "help" links inbetween the password field, and the Login button. As a keyboard user, I shouldn't have to TAB over them to get to the submit button.

Better yet, also capture the Enter keypress on the password field so that I can auto-submit with the Enter key.