Very few things on the internet and computer actually need accounts. Everything requiring a login is a cancer.
this post was submitted on 13 Mar 2026
1157 points (98.2% liked)
Programmer Humor
30343 readers
1041 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 2 years ago
MODERATORS
Yes and no in most cases it is used to limit misuse somewhat but i absolutely agree that its taking over hand. God bless trashmails.
Password manager users living life on easy mode.
And then...
The password manager can't fill the form. You've got to change your 10-word, unique passphrase because it's 3 months old. And you have to verify with a text.
Oh and then you have to type it in on your TV with a remote and on-screen keyboard.
Magic link is lazy 2fa.
Implement TOTP support, you lazy fucks.
What’s the 2nd factor? Email and what else?
But you know what’s the safest way for us to keep your password safe? Not asking for one to begin with. By not creating a password with us you have no risk of it leaking, and we don’t have to deal with the responsibility of keeping it secure. The sign in link is going to your email, which presumably is protected with two-factor authentication, if you have it set up (which you should!).
https://www.404media.co/we-dont-want-your-password-3/
They had a follow up later too (paywall)
Magic link only is the wirst kind of login systems. However, I don’t know any big real companies that use this.
If you don’t like passwords, just use passkeys.
Slack (except when with SSO). You have to go out of your way to find the settings page outside of the client to set a password.
Wasn't passkeys basically "passwords, but Google has control of them"?
Not even close.
Passkey is a generic technology not specific to any vendor. While there are a few versions of it, the long story short is it uses an encryption key you have to authenticate you rather than a password. This makes phishing extremely difficult if not impossible.
There's lots of passkey implementations. All the major browsers have one built in with their included password managers. Most good password managers like BitWarden or 1Password also support pass keys. And if you want to be extra secure, the passkey can be an actual hardware token like a YubiKey.
So yeah you see Google pushing passkeys a lot, and if you use Google password manager it will store your pass keys. But you also see Apple pushing it, and Microsoft also.
dont think so. what i gatherd passkeys is a public/private key scheme, much like pubkey auth in ssh logins.
Phew!
Its still just a single factor if some body steals your private key.
Its never transmitted, can be stored in HSMs. Anything that's handled wrong is unsafe
Steals it from your system I meant. Which has even happened to security pros.
Yes, buts it’s not something that can be easily guessed or found on a post it on the monitor
True dat. But if they compromise your computer the first thing the look for is key files.
Like my ssh keys are in a root permission file. Protected from general sight, but if somebody compromises my PC with a CVE on then goodbye keys.
At least with hardware key it is removable and requires a button press.
So accessing becomes physical access or quantum computer cracking
Booking.com (at least in Germany) only useagic links for some time now. I hate it.
Home depot does
On the other end, there is an excessive use of 2FA with systems for whom the concept of SSO seems to be a foreign thing. It's also sort of funny that 2FA can just mean using a TOTP capable password manager, reverting it back to one factor.
It's not actually reduced to one factor, just a single point of failure. If their password manager gets taken it's a problem, however the generated TOTP is worthless in 1 min. So this will protect the login from cases where the password is known like a compromised website or a reused password.
If the site is compromised, then the hackers could have stolen the TOTP secrets as well as the passwords. How do you think the site verifies TOTP codes? If you reuse passwords while using a password manager, you are asking for it, though.
A full hack of every part of the service is not the only way a user's password could get known to an attacker. Could be MiTM, could be typo-squatted, etc
If a site is that compromised no measure of auth is gonna help, so little use worrying about it.
A lot of the technology you use to connect over VPNs or over the Internet already addresses MitM. If it's typo-squatted, you are sort of using password managers wrong. You do have the option of setting up TOTP elsewhere like on your phone authenticator so the point of failure isn't on your side, I just think it's sort of funny how easily you can make it be one.
But if a password manager is compromised then doesn't the attacker also get the TOTP key which is what generates the codes in the first place?
It wouldn't matter if it expires in one minute because they'll have the token to generate the next code, as well as now knowing the password.
That makes it a single point of failure yes, and the rest of the comment you're replying to goes into detail on what it does protect from even if both passwd and TOTP are in the password manager
Sorry i misunderstood what you were saying. I thought you were saying that if the password manager was compromised then the attackers would have only 1 minute to make use of the tokens before they change.
That depends on the manager. Good ones won't have access to your stuff outside of an encrypted blob. Still, it's generally better to use a separate authenticator.
load more comments
(5 replies)
view more: next ›