You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During my participation in infrastructure maintenance of several online communities, one sentiment I hear frequently is that users don't want to remember additional usernames and passwords for every site they visit. An additional username/password pair is an additional mental burden, and a liability for the user.
It is also a liability for site owners. If the website is compromised (whether due to a vulnerability in hashover or elsewhere), attackers now have users' password hashes thanks to the site owner. As most people reuse passwords, the consequences will be unpleasant.
I'm not sure that a commenting system really needs to have user logins. Probably, most use cases of one can be satisfied by storing a private session cookie, which grants users the ability to edit and delete posts they made as long as that cookie lives. If one really wants, the remaining use cases are covered by sending an email to the user on their first post (or providing a way to send one whenever), which contains an URL that will log them back in instantly. Some discussion on HN.
Supporting both password and cookie-based auth could probably be done by hiding the password field and initializing it with a random string + enabling user auto-login.
The text was updated successfully, but these errors were encountered:
During my participation in infrastructure maintenance of several online communities, one sentiment I hear frequently is that users don't want to remember additional usernames and passwords for every site they visit. An additional username/password pair is an additional mental burden, and a liability for the user.
It is also a liability for site owners. If the website is compromised (whether due to a vulnerability in hashover or elsewhere), attackers now have users' password hashes thanks to the site owner. As most people reuse passwords, the consequences will be unpleasant.
I'm not sure that a commenting system really needs to have user logins. Probably, most use cases of one can be satisfied by storing a private session cookie, which grants users the ability to edit and delete posts they made as long as that cookie lives. If one really wants, the remaining use cases are covered by sending an email to the user on their first post (or providing a way to send one whenever), which contains an URL that will log them back in instantly. Some discussion on HN.
Supporting both password and cookie-based auth could probably be done by hiding the password field and initializing it with a random string + enabling user auto-login.
The text was updated successfully, but these errors were encountered: