undefined | Better HN

0 pointsblowski3y ago0 comments

Why should I have to go through all that faff when I have a perfectly good password manager?

0 comments

6 comments · 2 top-level

arubania23y ago· 2 in thread

Wasn’t suggesting that anyone should - just wanted to suggest a solution to the problem they described.

soco3y ago

But they don't have a problem - they just don't use the passwordless sites. If anybody, it's the sites having the problem of missing users.

KronisLV3y ago

> But they don't have a problem - they just don't use the passwordless sites.

If nothing else, the idea of having a separate e-mail account/inbox per use case is an interesting one!

Much like those people that use aliases or something of the sort to be able to tell where who sent then a particular email, like if suddenly some shop+my.account@gmail.com started getting random marketing mails.

> If anybody, it's the sites having the problem of missing users.

I mean, isn't that just the consequence of websites optimizing for whatever seems to work for them and forgetting about the minority of users? It might be missed profit, sure, but that depends on just what portion of the users view this as a dealbreaker.

Maybe there could be an app like Google Authenticator that would offer login to multiple websites through one's phone? We already have that in Latvia somewhat, for banking - you enter your user details in the web form and get a prompt on your phone for your PIN to log in with in the web app: https://www.smart-id.com/

arinlen3y ago· 2 in thread

> Why should I have to go through all that faff when I have a perfectly good password manager?

If you are not using dedicated special-purpose email addresses with specific services, you're already grossly mismanaging your online safety.

Think about it for a second: how does your password manager help you if your email password gets leaked?

maccard3y ago

Thats a crazy level of risk assessment for an average user.

> how does your password manager help you if your email password gets leaked?

You still need my TOTP codes in my case at least, which conveniently are stored in my password manager. Is it perfectly secure? No, of course it's not, but frankly my risk profile isn't worrying about a targeted attack on me and my password manager, it's worrying about leaked shared credentials.

Side note, I also get a push notification on my phone whenever a new device logs on, so unless the attack is _extremely_ targeted, well timed and they know what they want, Its not a risk for me.

arinlen3y ago

> Thats a crazy level of risk assessment for an average user.

It really isn't. Think about it for a second: how hard is it to spot phishing attempts when they are sent to an email address you know for a fact you're not using with a service?

And how vulnerable are you to phishing if your special-purpose email address that you only use for one specific purpose receives zero spam?

To claim that the most basic and easy internet security precautions are at a "crazy level", first you need to somehow believe that no one is targeted by these schemes. But somehow there's a whole international industry that thrives on stuff like Western Union transfers. Why is that?

4 more replies

j / k navigate · click thread line to collapse