The best I’ve seen was yesterday where a website had the log-in button greyed out after the password manager filled my creds in.
So I had to manually click both the email and password field. Just click them. Then it enabled the log-in button.
So someone took their time to write a piece of JS that said “If the user hasn’t focused both fields at least once, no login”. Literally why? Extra code that does nothing useful.
I was hoping passkeys would be the solution to this madness, but it seems to me the entire spec gives too much power to the OS Makers and too little to the users because “mUh AtTtEsTatIoN” so now I don’t know anymore
I’ve definitely run into that. Even more frustrating is when there was one particular site that forced me to actually delete the last character of my password and then retype it. Just focusing in the field wasn’t enough, I had to actually send it a keystroke. And Ctrl-V to paste the password in manually didn’t count. I suppose typing a random character at the end and then deleting it would have worked too.
When ctrl+v is disabled to “prevent brute force bots” or something ridiculous
that’s when I grab my trusty Don’t Fuck With Paste extension
I used to have this problem with the payroll website ADP! So cursed
I’ve seen this a stupid number of times. I wish I could remember which websites…
My utitlies website doesn’t let you login if the password field is autofilled by the browser. Whatever Angular-based form validation they are using doesn’t play nice with Firefox’s saved password feature. You have to manually type something in the password field, so I always add and remove a space from the password.
I sent an email to their support, hoping they would fix it, but they just responded saying that they can’t reproduce it.
Well, I can reproduce it. I even told you how. That sounds like a skill issue.
lol nice, this is one tech thing I have not complained about even though I hit it a few times a year
Oh, it gets worse. I’ve had some where I have to enter a character into the boxes before it would figure its shit out…
So someone took their time to write a piece of JS that said “If the user hasn’t focused both fields at least once, no login”. Literally why? Extra code that does nothing useful.
If anything, 30 seconds in Greasemonkey should fix that one (either blocking the function that is doing it, or manually firing click events on the fields).
They inevitably didn’t write it for that reason. They wrote it to say the field is invalid until the user changes it to be valid after someone landed on the page holding the enter key down and instantly locked themselves out after submitting the form 50 times in 3 seconds.
Unless you know otherwise, it’s easy to think that “form interaction” is the same as “form changed”, and one of those is much easier to check.I’m unsure what you mean about passkeys. I don’t think I’ve heard anyone mention significant concessions to os makers and I’m pretty tuned in on the topic.
deleted by creator
Also, those stupid annoying modern log in pages where it just asks for your email, then refreshes to a page with a password, because the password managers are hit and miss on detecting the log in form when it does that shit and why the fuck are we doing an extra step oage anyway???
And then…
The password manager can’t fill the form. You’ve got to change your 10-word, unique passphrase because it’s 3 months old. And you have to verify with a text.
Oh and then you have to type it in on your TV with a remote and on-screen keyboard.
Also you better hope you used the password manager for this obscure app you don’t remember signing up with.
It used a different URL for sign in so isn’t picked up by the password manager.
The password is too strong doesn’t accept Ukraine letters.
Dose your granny have the a password manager. She should but would she understand how it works.
Or worse:
Use email link -> use password instead
Enter password
Now enter the code that we sent you your email…
2 factor authentication, only when you feel like it.
They might as well be piping the password to
/dev/null
HEY BUT DO YOU WANT TO USE A PASSCODE?? PASSCODE! PASSCODE! USE THE PASSCODE! -_-
Yeah what the hell is up with that one? Seems so sketchy
Passkeys are okay, but your browser and OS want you to use them because you can’t just take a passkey to another platform, you have to create a new one, and it’s a pain in the ass.
It’s a lock-in gimmick latching on to a real useful solution.
Password managers can hold Passkeys now and they’re portable. Bitwarden stores all of mine, use them on any machine.
Yeh, I have passkeys in bitwarden.
I get it. Once they become ubiquitous, you click “login” your password manager prompts you to select account, and you are in.
No password that can be leaked, incorrectly stored, brute forced.
Corporations can pre-register company service passkeys for new users.
It’s like mTLS, except staged.While true, it still means you’re locked into only being able to log in from a browser that has the password manager extension installed and logged in. Sometimes I want to log in from another machine, or another OS, or another browser, or even an incognito window that doesn’t have access to my extensions.
That’s an implementation issue, not an inherent problem with passkeys.
You can do that without an extension. There’s a bunch of different protocols that let you, for example, use your phone as the authenticator.
You can log in with your phone on a computer you’ve never used before by scanning a QR code and credentials never leave your device.
It’s good but for some reason I can’t use them on my degoogled android phone. Doesn’t pop up to select… It thinks I want to use a yuibkey or other device.
KeepassDX as well.
That’s false. My passkeys sync to my password manager and are available on all my devices
Ok that makes a lot of sense. It definitely seems like it’s more for them than it is for the user’s “convenience”
My passkeys are tied to my phone, which I use via the browser and OS. I keep them in my password manager running on the phone. My password manager supports the open spec for securely migrating credentials between vendors.
It may be difficult to believe but they want you to use them because they’re legitimately significantly better.
Users are silly. They blame Microsoft for bad passwords. They blame Google for forgotten passwords. They blame Facebook when they click on a phishing link. They blame apple when apple “lets” someone who they gave their password to see their pictures. They blame apple when they don’t let the user in just because they forgot their password and every recovery mechanism.
Everyone involved has a significant issue with passwords because they cost them user satisfaction, credibility, or money directly. The reason cross vendor transfer has been slow is because everyone wants to be the leader, since if everyone follows your lead you get to make it work better with your stuff.
Passkeys are fine. It’s just MTLS but by marketers (if by passcode you mean passkeys. otherwise, what’s a passcode?)
alternatives to passwords are just excuses to harvest info
Not if it comes to hardware-based passkeys I would argue
true, but i would also argue that’s a much less utilised alternative. most people don’t even know what that is even though it’s a great redundancy.
they don’t need to know what’s happening when a panel pops up on their phone, says touch the fingerprint scanner, and enrolls a passkey. it’s on the companies
It is quite normal to ask for an email address at registration even when using password based authentication.
*it has been become quite normalized
No email would be fine for most people, but then there would be the small number of folks who will cry all hell when they forget their passwords and/or secret questions and can’t get in…
It was more or less the default many moons ago, then just a username became more common, now it is back to email or some third party login
God I hate those stupid magic links. They’re WAAAAYYY slower than just using my password manager.
AND they kinda contribute to locking you into Big Tech. I sometimes have problems with those stupid links because I don’t have a Gmail account. Somewhere along the stupid chain there’s probably some stupid check that delays or blackholes emails to non-big-tech domains.
Based.
Email is terrible. It’s an unreliable communication system. You cannot depend on sent emails arriving in the recipient’s mailbox—even the spam folder.
People incorrectly assume that all emails at least get to their spam folder. They don’t. There are multiple levels of filters that prevent most emails from ever making it that far because most email traffic is bots blasting phishing links, scams, and spam. Nobody wants phishing and scam emails, but the blocks that prevent those are being used by big tech to justify discriminating against small mail servers.
I can’t remember the site, now, but I literally couldn’t log into one this week because the email never arrived.
I can’t remember the site, now, but I literally couldn’t log into one this week because the email never arrived.
Well, email allows you to solve that issue by self-hosting. But what you can’t solve is that if you do self-host, gmail will drop your emails to spam or just discard them completely, just because it feels like it, even if you do the whole dance with DMARC and have used the domain for a good few years. It’s frustrating as shit.
I had an email never arrive because I used Firefox for Linux. It worked on my phone in a different browser. God knows what went on there. I suppose their website never really registered I even made a request from my desktop even though it told me the email was on the way. Really strange.
Magic link is lazy 2fa.
Implement TOTP support, you lazy fucks.
What’s the 2nd factor? Email and what else?
Email is considered insecure as a 2nd factor. TOTP stands for Time-based One-Time Password. Usually you store a seed and that combined with the time generates a time based password. If someone intercepts it, it’s only valid for a certain time frame (I think about a minute or so), after which it’s invalid.
Just to add, SMS is also incredibly insecure as a 2FA
Arguably less secure than email.
Yes but email is only a second factor when used in addition to a first factor (e.g. password). If it’s just magic link without password, then email is the only factor
Very few things on the internet and computer actually need accounts. Everything requiring a login is a cancer.
Yes and no in most cases it is used to limit misuse somewhat but i absolutely agree that its taking over hand. God bless trashmails.
Password manager users living life on easy mode.
More people should use passkeys
Passkeys get undeserved hate
nah, too cumbersome and mistic
But you know what’s the safest way for us to keep your password safe? Not asking for one to begin with. By not creating a password with us you have no risk of it leaking, and we don’t have to deal with the responsibility of keeping it secure. The sign in link is going to your email, which presumably is protected with two-factor authentication, if you have it set up (which you should!).
https://www.404media.co/we-dont-want-your-password-3/
They had a follow up later too (paywall)
Ah but you see it’s one factor of authentication that also conveniently loops in whichever email provider is spying on you
Ding! Ding!
This is the real answer: mail providers get to track you, your service get constant confirmation that your email is live (so they can send more ads from themselves plus their 400 closest affiliates). It’s a win-win situation for everyone /s.
“The
beatingsenshitification will continue, until moral is improved.”Of course. How would Microslop or Google LLMs snoop on your data then? You guys really make no effort… /s
I love FIDO logins and next to fucking no one implements them :(
And when they do they only offer them as the second factor.
Yes, let me first input my password (from a password manager), the let me approve with a passkey that is meant to make my password not necessary.
But email based login: FUCK THAT SHIT.
I actually prefer using FIDO2 as a second factor only cos I use YubiKey which can only store 100 RKs.
Depending on the security needs using hardware based security as a second factor while still requiring some other form of auth is not actually a bad idea.
What are they?
Public key cryptography tied to physical hardware, so if you lose your phone / usb key, you need to use your backup recovery code; a fairly short one time password that negates the security benefits of Fido in one easy step.
It can also use biometrics, but that requires every device you log in on to have biometric readers.
Or you could use multiple fido key’s as backups
Absolutely 100%. Click login, accept passkey signature, logged in. This is the way to go
As an autistic person I felt this in my bones. I cannot STAND email based authentication.
