undefined | Better HN

0 points_1tem9mo ago0 comments

just stick with passwords then

0 comments

I guess the problem is such people will mostly use passwords that are as weak as they can get away with.

If you have password reset via email, as almost every service using passwords does, there’s no security gain over magic links/codes.

It’s actually worse, since now the email account or the password get you in, vs. just the email account.

MetaWhirledPeas9mo ago

> If you have password reset via email, as almost every service using passwords does, there’s no security gain over magic links/codes.

I disagree. The problem with the magic code is that you've trained the user to automatically enter the code without much scrutiny. If one day you're attempting to access malicious.com and you get a google.com code in your email, well you've been trained to take the code and plug it in and if you're not a smarty then you're likely to do so.

In contrast, email password recovery is an exception to the normal user flow.

danenania9mo ago

Password reset also has phishing potential. I do see your point, but if a user doesn’t check domains, I think they can be easily phished through either route.

stronglikedan9mo ago

Good luck finding a suite of modern, convenient services that will allow you to do that nowadays. I wish we could opt-in with some sort of I-know-what-I'm-doing-with-passwords-and-take-full-responsibility option.

Wingman4l79mo ago

You vastly underestimate the number of people who should not pick this option but would (because doing otherwise would be admitting their incompetence / ignorance) -- thus handily continuing the problem.

j / k navigate · click thread line to collapse

0 comments

jmull9mo ago

I guess the problem is such people will mostly use passwords that are as weak as they can get away with.

danenania9mo ago

If you have password reset via email, as almost every service using passwords does, there’s no security gain over magic links/codes.

It’s actually worse, since now the email account or the password get you in, vs. just the email account.

MetaWhirledPeas9mo ago

> If you have password reset via email, as almost every service using passwords does, there’s no security gain over magic links/codes.

In contrast, email password recovery is an exception to the normal user flow.

danenania9mo ago

Password reset also has phishing potential. I do see your point, but if a user doesn’t check domains, I think they can be easily phished through either route.

stronglikedan9mo ago

Wingman4l79mo ago

j / k navigate · click thread line to collapse