undefined | Better HN

0 pointskevincox4y ago0 comments

I find this way less convienent because my password manager automatically fills in my username and password. So I can log in with 1 click. With "magic links" I need to enter my email (which may be autocompleted, but it is much less reliable) and then wait for the email to show up. (Assuming I have my email available.) Also email is never going to be reliably "instant" spam techniques include bouncing an email and waiting for a retry which is going to frustrate users and slow down login.

Additionally my security is now tried to the email I use which may be undesirable.

So I see why this exists, but please consider also supporting username+password at least until something else browser-integrated comes along.

0 comments

mojuba4y ago

I know but it comes at a price of some users who don't use a password manager setting silly weak passwords.

In one of my mobile apps that manages KeyChain user/passwords correctly, I still see a lot of password reset requests. I can't even think of a reason why people would ignore autofill so often. The result is, although I haven't checked, but wouldn't be surprized if there were still a lot of "password123"'s in the DB.

So neither are passwords a good option, it seems.

nybble414y ago

Don't let the user set the password, just assign them something random. If you let users pick their own passwords some of them are guaranteed to pick insecure ones (i.e. anything which isn't random and unique to that site).

Though frankly we should be able to do far better than one-off shared secrets for each account. WebAuthn, for example, with the browser as the authenticator, protected by either a client-side master password or biometrics. That would be at least as good as a password stored in a password manager, with the advantage that the user doesn't need to store (and sync) unique passwords for every site. To log in from a new device just enroll a second authenticator.

krupan4y ago

My experience with password managers is that it works that well on about 10% of websites/apps, and I have to resort to copy and paste from the password manager everywhere else. It's not that great

mojuba4y ago

10% is pretty low though. In my case Safari does it right in maybe 80% of cases. However the ones (websites and apps) that do it wrong can be very annoying.

kevincoxOP4y ago

That seems incredibly low. Using Firefox's built-in password manager I definitely get >90% of sites. The only site that I use frequently where it doesn't work is my bank because the "card number" isn't recognized as the username.

But even copy-paste isn't too difficult. Roughly as much clicking as the magic-link solution in my experience.

j / k navigate · click thread line to collapse

0 pointskevincox4y ago0 comments

Additionally my security is now tried to the email I use which may be undesirable.

So I see why this exists, but please consider also supporting username+password at least until something else browser-integrated comes along.

0 comments

mojuba4y ago

I know but it comes at a price of some users who don't use a password manager setting silly weak passwords.

So neither are passwords a good option, it seems.

nybble414y ago

krupan4y ago

My experience with password managers is that it works that well on about 10% of websites/apps, and I have to resort to copy and paste from the password manager everywhere else. It's not that great

mojuba4y ago

10% is pretty low though. In my case Safari does it right in maybe 80% of cases. However the ones (websites and apps) that do it wrong can be very annoying.

kevincoxOP4y ago

But even copy-paste isn't too difficult. Roughly as much clicking as the magic-link solution in my experience.

j / k navigate · click thread line to collapse