| ▲ | amiga386 2 hours ago |
| Add the lie "emails are delivered instantly, so the user can click a link I email them within 1 minute" And the lie "users always read emails on the same device they're logging into a website with" And the lie "users can always view HTML email so no need to send a plaintext equivalent, especially if I have a long complex URL I want them to click" And the lie "Clickable links sent in email are more secure than passwords so I'll stop supporting passwords and instead rely on email delivery of a link for all logins. Whoever clicks that link first is definitely the user who wanted to log in" |
|
| ▲ | trumpdong an hour ago | parent | next [-] |
| If you try to create a Discord account with Firefox Klar as your default browser, on Android, immediately upon signing up you'll be banned. I have to assume this is because it clears cookies and thinks you're a bot farm. |
|
| ▲ | Terr_ 23 minutes ago | parent | prev | next [-] |
| > And the lie "users always read emails on the same device they're logging into a website with" Or the same browser, or the same browser-profile. For example, on my phone I have external links (from other apps) opening in incognito mode by default. |
|
| ▲ | butvacuum 21 minutes ago | parent | prev | next [-] |
| I don't think it's about security. It's about fobing off password resets on somebody else. |
|
| ▲ | wodenokoto 2 hours ago | parent | prev | next [-] |
| If you have a password reset form, you probably already have a log-in with email with extra steps functionality. |
|
| ▲ | nosioptar an hour ago | parent | prev | next [-] |
| When I had protonmail, I often wouldn't get emails for hours, sometimes a day. Most other providers I've used range from instant to a few minutes. |
|
| ▲ | 2 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | CPLX 2 hours ago | parent | prev [-] |
| > Clickable links sent in email are more secure than passwords so I'll stop supporting passwords and instead rely on email delivery of a link for all logins God, I fucking hate that. I have a fucking password manager, I have various machines and things open. Just let me fucking log in. If anyone is reading this who is in charge of the internet please stop doing this. |
| |
| ▲ | Terr_ 22 minutes ago | parent | next [-] | | There's a landlord/apartment portal where the basic login process has become: 1. Enter username (e.g. an email) 2. Choose email or SMS 3. Enter the code you got somehow through an unencrypted channel | |
| ▲ | anon7000 an hour ago | parent | prev | next [-] | | So agreed. It’s fucking crazy. Password manager is so much easier and more secure. If you do this dumb email or SMS OTP flow, at LEAST support passkeys for my password manager! It’s wild that they’re like “it’s more secure to not have a password” and then choose two unencrypted delivery mechanisms for the very short OTP. Sure, people who reuse passwords are not secure. And fair, I guess it’s a tragedy of the commons. But at least continue supporting it and make it dead simple for password managers if you actually care bout security | | |
| ▲ | 8n4vidtmkvmk 38 minutes ago | parent [-] | | I thought the same for a long time but now i don't know. If your computer is compromised, they can exfiltrate your password, but with a hardware key they can't, so i think that's legitimately more secure than password+otp. It still needs a pin though to protect against device theft.
I bring this up because there's been a ton of compromised developer packages recently and windows itself is being attacked so even if you're pretty good about protecting yourself, you still might get screwed. | | |
| ▲ | nvme0n1p1 25 minutes ago | parent [-] | | If your computer is compromised, the attacker can just as easily read your email. OTP can be used with a password. |
|
| |
| ▲ | roygbiv2 an hour ago | parent | prev | next [-] | | I seem to spend half my life logging into thing's, confirming 2fa,confirming biometric data. Then when I go back to the first thing it's timed out and I have to sign in again. | |
| ▲ | denkmoon 2 hours ago | parent | prev [-] | | The people in charge of the internet are "cybersecurity" "professionals" who can't even follow NIST guidance. | | |
| ▲ | Kaliboy 44 minutes ago | parent | next [-] | | It is with much hesitation that I write this, because I just implemented such a flow. My reasoning was this: my customers keep forgetting their password and somehow that becomes a trigger to contact me. No passwords, no problem. I tried convincing them to use password managers but that was pointless. But I see the pain and frustration so I will add passwords. And I quite liked the passkey idea, have to see how that works. Not that my customers would ever use it, but I would. It literally never occured to me. | | |
| ▲ | butvacuum 18 minutes ago | parent | next [-] | | Good to see my take verified. But, where does the buck stop? What if your phone relies on email, but your email needs your phone. | |
| ▲ | denkmoon 32 minutes ago | parent | prev [-] | | To be clear, no shade on actual devs faced with actual problems. My ire is reserved exclusively for the "we must do this because it is on the checklist, no I don't understand what a subnet is" people. |
| |
| ▲ | readthenotes1 an hour ago | parent | prev [-] | | The "change your password every 6 months" guidance? | | |
| ▲ | denkmoon 34 minutes ago | parent | next [-] | | Specifically the revocation of such guidance. If the field gave even the slightest deference to empiricism we wouldn't be changing our password every 180 days, but here we are. | |
| ▲ | trumpdong an hour ago | parent | prev [-] | | That was revoked some years ago. |
|
|
|
