I don't understand why so many developers do so many stupid things with emails. Sure, there's some trivial validation you can do that makes sense - make sure it matches (.+)@(.+), make sure the domain part exists, etc.
But far too many sites do extra 'validation' using weird restrictive regex, and it prevents you from using valid email addresses - things like restricting chars so I can't use '+', or so I can't use a one char local part, or a one char domain, or a newer TLD that doesn't fit some dodgy regex they copied from a random stack overflow comment...
I really wish that developers would just do really simplistic checks - eg make sure it has an @ in it and something either side, and then just send a validation email as part of their signup flow. If you do it as the first step in the flow, you validate control of the email address and you ensure you don't end up with junk accounts on your system where someone typo'd their email and will never be able to activate it.
edit: the really stupid thing is that it takes considerably more effort to add this restrictive and usually wrong validation than it does to do it right :(
For the dystopian cyberpunk future where a few companies rule the world, yup.
I will stay with passwords that only a quantum computer can break :)
To elaborate a bit more, as we are already off topic:
Biometric traits are a big nono for me.
And another device just shifts the password problem to said device (same for email account instead of device). Once someone has access to the device (secured via one password) they have access to everything.
So a normal trade in convenience for security.
Passwords are solved for me, apart from idiotic rulesets on the other end.
> For the dystopian cyberpunk future where a few companies rule the world, yup.
oauth with google isn't the only option. There are oodles of oauth providers out there, and you can even set up your own.
> Biometric traits are a big nono for me.
Nobody is talking about biometrics but you.
> And another device just shifts the password problem to said device
Passwordless doesn't mean 2fa, and even if you _are_ talking about another device, the other device doesn't have to require a password.
> (same for email account instead of device).
They're not the same actually, not at all. Firstly passwordless doesn't imply access to another _device_, (and even in the case of WebAuthn it doesn't even imply access to another service). The most common case of Oauth allows for the service provider to trust any number of providers, who may or may not require a password. It can be a hardware key, it can be a private key in software that a restricted process has access to, or yes it can be a password.
> Once someone has access to the device (secured via one password) they have access to everything.
If someone has access to your device and password, it doesn't matter if you use unique passwords for everything, pretty much every service in existence will happily let you reset your password with access to the original email account.
> So a normal trade in convenience for security.
Hard disagree here. My biggest risk vector is third party websites insecurely handling credentials and leaking them. If they require passwords, my password gets leaked, which means I need unique passwords per site, which in turn means I'm going to rely on software to manage those credentials for me. If I'm relying on software to manage those credentials for me, isn't it _more secure_ to reduce the possibility of human error, clipboard scraping, incorrect file permissions on my local uncencrypted file of passwords (because if it's encrypted I need a password for this too, right?)
If you google passwordless, biometric solutions are one way to go, hence I mentioned them, not because I wad trying to put it into your mouth.
If someone has access to my password they either got it by torture, a non or insufficient hashed store on the other end or by breaking encryption.
A simple dongle that may not even need a password, is easier to get.
2FA can make sense, passwordless does not.
The risk of 3rd party screwing up, doesn't go away, it's just shifted to another 3rd party, which again, you have to trust.
I use a different email address with a unique password for anything that's important and where another person having access could harm me. Forums and such are not a part of that.
So let's agree to disagree. I'll stay with passwords for everything that's important and for most things that are really important, apart from banking that is, I don't even have a 3rd party involved.
A long, easy to remember, but hard go guess password, that is securely hashed on the other end, is an even better solution, that is proven and battle tested.
No, it isn't. A password can be phished, a hardware key can't, among a ton of other benefits. The hardware key is orders of magnitude better than a password.
I don't know, my USB key is on my keychain. Turns out that if you couple your GitHub login to your way of entering your house, you never forget your GitHub login.
Another decent solution is to seed the key, and keep the seed written down or in your password manager. Though I only know of the hacker version of SoloKey that lets you do that. Now you've got the convenience of passwordless login, and the peace of mind that you can always get a new spare.
This is an excellent idea, and I'm still waiting for BitWarden to implement soft-WebAuthn. That way I can just unlock my password manager (or, really, type in a passphrase that will generate the private key) and my browser can take care of all the authentication.
No need to store passwords, you can securely have one password for all sites. You lose the ability of rotating it if it gets stolen, but it's unlikely to get stolen if you never enter it anywhere else.
I would welcome something, but not the so called solutions that go under the buzzword "passwordless".
Shoulder-surfing isn't a problem for me, phishing worked when I was 12 and the internet was new, keyloggers... Yup, possible, although unlikely given the choice of my OS.
But alas, I digress and indeed it became personal, so let's stop it here, as I am not interested in personal discussions on the internet.
I don't understand why so many developers do so many stupid things with emails. Sure, there's some trivial validation you can do that makes sense - make sure it matches (.+)@(.+), make sure the domain part exists, etc.
But far too many sites do extra 'validation' using weird restrictive regex, and it prevents you from using valid email addresses - things like restricting chars so I can't use '+', or so I can't use a one char local part, or a one char domain, or a newer TLD that doesn't fit some dodgy regex they copied from a random stack overflow comment...
I really wish that developers would just do really simplistic checks - eg make sure it has an @ in it and something either side, and then just send a validation email as part of their signup flow. If you do it as the first step in the flow, you validate control of the email address and you ensure you don't end up with junk accounts on your system where someone typo'd their email and will never be able to activate it.
edit: the really stupid thing is that it takes considerably more effort to add this restrictive and usually wrong validation than it does to do it right :(