Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Also, those stupid annoying modern log in pages where it just asks for your email, then refreshes to a page with a password, because the password managers are hit and miss on detecting the log in form when it does that shit and why the fuck are we doing an extra step oage anyway????
And then...
The password manager can't fill the form. You've got to change your 10-word, unique passphrase because it's 3 months old. And you have to verify with a text.
Oh and then you have to type it in on your TV with a remote and on-screen keyboard.
Also you better hope you used the password manager for this obscure app you don't remember signing up with.
It used a different URL for sign in so isn't picked up by the password manager.
The password is too strong doesn't accept Ukraine letters.
Dose your granny have the a password manager. She should but would she understand how it works.
Also This strange trend to split username and password on to two separate pages, or only showing the password field after confirming the username
Not that strange. Different users may belong to different groups which may have different authentication backends. The associated authentication method is brought up once a username has been provided.
if your choice of api route directly affects your auth flow something is very wrong.
I don't like it when I need to sign in twice for single sign-on. The email/username then tells the system if they need to be directed to another sign in page. Like Google or Microsoft. This then allows you access without having to give them your password.
You can do that as part of an OAuth workflow. You don’t need to have them on separate pages for that to happen.
And the auto-submitting TOTP entry form where you're apparently not allowed to make a typo. And obscuring the TOTP number like it's a password or state secret.
This is because of Enterprise Single Sign On. You can try this for yourself by going to https://gmail.com/ and enter the email of a public person at a large org, for example the CEO of Doordash (tony@doordash.com). After you enter the email, you get sent to Doordash's employee portal to authenticate. Based on the email you provide, Gmail has to figure out if you need to provide a password to gmail itself or if the email authenticates another way.
Magic link is lazy 2fa.
Implement TOTP support, you lazy fucks.
What’s the 2nd factor? Email and what else?
Email is considered insecure as a 2nd factor. TOTP stands for Time-based One-Time Password. Usually you store a seed and that combined with the time generates a time based password. If someone intercepts it, it's only valid for a certain time frame (I think about a minute or so), after which it's invalid.
Just to add, SMS is also incredibly insecure as a 2FA
Arguably less secure than email.
Yes but email is only a second factor when used in addition to a first factor (e.g. password). If it’s just magic link without password, then email is the only factor
The best I've seen was yesterday where a website had the log-in button greyed out after the password manager filled my creds in.
So I had to manually click both the email and password field. Just click them. Then it enabled the log-in button.
So someone took their time to write a piece of JS that said "If the user hasn't focused both fields at least once, no login". Literally why? Extra code that does nothing useful.
I was hoping passkeys would be the solution to this madness, but it seems to me the entire spec gives too much power to the OS Makers and too little to the users because "mUh AtTtEsTatIoN" so now I don't know anymore
I've definitely run into that. Even more frustrating is when there was one particular site that forced me to actually delete the last character of my password and then retype it. Just focusing in the field wasn't enough, I had to actually send it a keystroke. And Ctrl-V to paste the password in manually didn't count. I suppose typing a random character at the end and then deleting it would have worked too.
When ctrl+v is disabled to "prevent brute force bots" or something ridiculous
My utitlies website doesn't let you login if the password field is autofilled by the browser. Whatever Angular-based form validation they are using doesn't play nice with Firefox's saved password feature. You have to manually type something in the password field, so I always add and remove a space from the password.
I sent an email to their support, hoping they would fix it, but they just responded saying that they can't reproduce it.
Well, I can reproduce it. I even told you how. That sounds like a skill issue.
Very few things on the internet and computer actually need accounts. Everything requiring a login is a cancer.
Yes and no in most cases it is used to limit misuse somewhat but i absolutely agree that its taking over hand. God bless trashmails.
Or worse:
Use email link -> use password instead
Enter password
Now enter the code that we sent you your email...
2 factor authentication, only when you feel like it.
They might as well be piping the password to /dev/null
Password manager users living life on easy mode.
HEY BUT DO YOU WANT TO USE A PASSCODE?? PASSCODE! PASSCODE! USE THE PASSCODE! -_-
But you know what’s the safest way for us to keep your password safe? Not asking for one to begin with. By not creating a password with us you have no risk of it leaking, and we don’t have to deal with the responsibility of keeping it secure. The sign in link is going to your email, which presumably is protected with two-factor authentication, if you have it set up (which you should!).
https://www.404media.co/we-dont-want-your-password-3/
They had a follow up later too (paywall)
God I hate those stupid magic links. They're WAAAAYYY slower than just using my password manager.
AND they kinda contribute to locking you into Big Tech. I sometimes have problems with those stupid links because I don't have a Gmail account. Somewhere along the stupid chain there's probably some stupid check that delays or blackholes emails to non-big-tech domains.
Based.
Email is terrible. It's an unreliable communication system. You cannot depend on sent emails arriving in the recipient's mailbox—even the spam folder.
People incorrectly assume that all emails at least get to their spam folder. They don't. There are multiple levels of filters that prevent most emails from ever making it that far because most email traffic is bots blasting phishing links, scams, and spam. Nobody wants phishing and scam emails, but the blocks that prevent those are being used by big tech to justify discriminating against small mail servers.
I can't remember the site, now, but I literally couldn't log into one this week because the email never arrived.
Ah but you see it's one factor of authentication that also conveniently loops in whichever email provider is spying on you
As an autistic person I felt this in my bones. I cannot STAND email based authentication.
Just let me use passkeys at this point. The way that people typically use passwords is less secure anyway, why not just make it as simple as possible?