| ▲ | myflash13 9 days ago |
| just stick with passwords then |
|
| ▲ | jmull 9 days ago | parent | next [-] |
| I guess the problem is such people will mostly use passwords that are as weak as they can get away with. |
|
| ▲ | danenania 9 days ago | parent | prev | next [-] |
| If you have password reset via email, as almost every service using passwords does, there’s no security gain over magic links/codes. It’s actually worse, since now the email account or the password get you in, vs. just the email account. |
| |
| ▲ | MetaWhirledPeas 9 days ago | parent [-] | | > If you have password reset via email, as almost every service using passwords does, there’s no security gain over magic links/codes. I disagree. The problem with the magic code is that you've trained the user to automatically enter the code without much scrutiny. If one day you're attempting to access malicious.com and you get a google.com code in your email, well you've been trained to take the code and plug it in and if you're not a smarty then you're likely to do so. In contrast, email password recovery is an exception to the normal user flow. | | |
| ▲ | danenania 8 days ago | parent [-] | | Password reset also has phishing potential. I do see your point, but if a user doesn’t check domains, I think they can be easily phished through either route. |
|
|
|
| ▲ | stronglikedan 9 days ago | parent | prev [-] |
| Good luck finding a suite of modern, convenient services that will allow you to do that nowadays. I wish we could opt-in with some sort of I-know-what-I'm-doing-with-passwords-and-take-full-responsibility option. |
| |
| ▲ | Wingman4l7 9 days ago | parent [-] | | You vastly underestimate the number of people who should not pick this option but would (because doing otherwise would be admitting their incompetence / ignorance) -- thus handily continuing the problem. |
|
