Firstly let's glance at what we have today
Today many websites require a password
They require "a good" password:
minimum N letters
at least o...
For further actions, you may consider blocking this person and/or reporting abuse
In defense of passwords
I disagree about the password vs magic links.
About password implementations -> you are right that they are a little complicated, BUT
I agree with your concerns
And you are free to develop options for technical users β they can find the switcher...
But as the technical user I'll request not passwords or magic links (or oauth) β the most wanted feature for me is WebAuthN now π
Webauth is not ready yet
Webauth in my current understanding does not really work as an open protocol across multiple vendors -> you have to completely buy-in into a propriety vendor solution like Microsoft, Google or Apple. Usage of a hardware dongle/usb/Yubikey can completely locks you out moment it gets lost. Especially if your are on a vacation in another country with your laptop/phone stolen -> imagine getting locked out of all your accounts and losing access to all of your money and communication methods, how much fun is that?
I think this blog post has a good summary there the author of an open source library and editing author of the standard - suggests that its better to be just using passwords instead.
fy.blackhats.net.au/blog/2024-04-2...
Depending on Apple only for it to completely wipe all your Keychains does not seem like a reliable or secure solution to me.
Or do you mean an different webauth than passkeys and dongles?
That are you thoughts on the article?
heard reasoning from the Security Now podcast, this is the article they discussed.
I think that passkeys give me a little more than one password, because in almost all resources where passkeys are supported, I can add many fallback options (other Passkeys) and store one of them in the password manager;
More than a year of experience in use, including implementation on our website - so far there are no problems with them;
I don't have an apple account to compare
But I agree that in the case without a backup keys it's dangerous situation
Complex password requirements is the conspiracy of password management software manufacturers against humanityβ¦ π§
Very interesting take, at first I had no real bias toward this subject, and even I was against using magic links but the more I think about it, the more it makes sense because a user will only log to your application through the internet, since the API will validate its authenticity, so we can asume he as internet connectivity.
If the user has internet connectivity, it is way easier and safer to authenticate the latter using a magic link. The only downside I see is that this adds another layer of reliability since a mail provider that is down means the whole authentication down. But at the same time, mail providers employ so much effort and money to make their service reliable, you have more chance of going down than them.
Plus, it means no more passwords to mess with, and I've always advocated security before performance or cost so it is an added benefit for the user: a friendlier solution toward authentication, and a safer experience.
I've already started to see some application or two use this to allow authentication and I think I'll start advocating for that and use it for my own apps.
Thank you for this very interesting article and take regarding this topic!
I really hope that someday we will forget our passwords and never return to them.
neal.fun: stuck on chess board.
You mean like a password manager?? π€
I meant information would be anonymized, the opposite of confidential. Finally, data will be reused rather than duplicated. We'll save quite a bit of storage space. Distant future or in next decade, who knows.
Very interesting article, I honestly did not know all this stuff about passwords
Great article, but if I may, please fix the typo in your article title except if it's international
Thanks, I hope now it's better
Or just say me, what is wrong
I'm not good in English
I would like to recommend you using LanguageTool to check your article.
You can also add an extension to your browser.
languagetool.org
Here is the result for your article, so except the "require", you are pretty good.
For information, I'm French, LanguageTool helped me to improve my English by showing me the errors I was doing in the context.
I should write an article about it, BTW
Nice, I'll try it too π
Actually I use the grammarly.com/
I switched out Grammaly 3 years ago. I like languagetool can be used with a local language tool server, so nothing is sent to the cloud.
I definitely need to write an article about itβ¦
require
needs au
I disagree about the "Magic links must save user agent".
As a developer/technical user I use multiple browsers and multiple email accounts.
Example use case, so then I try to
Yes, if you accept the risk and agree with the IP matching β why not!
Anyway β you should think about the phishing cases, and prevent them
Password Requirements -> a long length is enough. Writing sentences as passwords is the best choice (after using a password manager of course).
I believe a low amount of users use a password managers and really thinking about their passwords strength π
That is why the Princeton Research recommends to add a password strengs meter on UI and then... every user wants to create a good password, but after they will use the Frogot password button... Round π€ͺ