A while ago I shared a link to that old article about how someone hijacked the author's Twitter username, and one thing mentioned in the article was how the author was constantly getting bombarded with password reset e-mails. That kind of reinforces my opinion that Mastodon shouldn't allow login-by-username and stick to login-by-email only.

If there's a MITM attack I'd rather that the attacker learns my username and password over them getting the mail account.

@ultem Good point. I can easily generate a strong new password, but leaking an email address is problematic. @Gargron

@Gargron im not sure how that helps? keeping email addresses secret is kind of a security by obscurity thing, and there are plenty of countermeasures that can be taken to avoid someone getting deluged with password reset requests

also it has absolutely stymied my attempts to make a kit that makes it really easy to add one-touch xmpp support that authenticates against mastodon, which would be a really cool thing but it HAS to be as seamless as possible or nobody will ever use it, and no admins will ever install it

@Gargron I tend to agree with @anna
It's more of a punishment to those with 2fa and good password hygiene.

I'd certainly love full out smartcard key-pair challenge response.
But I'm not sure if the world is ready for that, and am absolutely certain those that reuse simple passwords are not :{

@dissy614 @Gargron even those who arent good at passwords and such, i think it hampers adoption of mastodon. they remember their username, but not which email they signed up for, and go fuck off instead of logging in after they remember its a thing a few weeks/months later

hell, it's really annoying WITH a password manager with test accounts and such, because i'll be hecked if i can remember what account testwitch23 or one of my several email addresses was assigned to

@Gargron @anna

> I'd certainly love full out smartcard key-pair challenge response

That's already possible in modern browsers supporting WebAuthn:

@Gargron @anna There's e.g. which we recently integrated in a Rails app in my company. Works like a charm.

@Gargron agreed

having to know the email associated with the account is still another factor of information, no matter how easy it may be to figure out or guess

@Gargron Hey, works great for me. No inconvenience I can see.

@Gargron login by username never made much sense to me because the username is just one more thing to remember. When a service insists I use a "login" of some sort instead of a email or phone number, I struggle to remember my username. Was it grishka? Or maybe grishka11 because grishka was taken? Or grishkaa? Or grishka93? And so on. I think I requested a password reset email on some services just so they include my username in that.

@grishka @Gargron but what's wing in using a password manager? that solves a lot, if not all. feel curious.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!