Slack's authentication flow is the dumbest I've ever had the misfortune of using. I'm a member of multiple Slack organizations, and it needs one login per organization. I can't just have a single email address and join whatever org I want, I have to remember which email address I used for each one, otherwise I can't log in!
I have multiple email addresses and don't use a specific one every time, so I have managed to lock myself out of many orgs because I just can't remember which email address I used.
If you click the "forgot my email" link, they go "have you forgotten which email address you used to log in to which org? Just tell us your email address and we'll tell you which orgs it's logged in to", which is exactly the opposite of what I want!
It's such a clusterfuck that I just avoid joining new orgs nowadays because I know I'll never be able to log in again.
Password managers don't help when you need to log in to a computer you don't own, e.g. a public computer at a library or office. Using password managers just makes it easier to lock yourself out when you need access most.
With mixed-case letters and digits, all you need are 22 characters.
A 128-bit security margin is considered good enough currently; a 62-character alphabet (26 lowercase, 26 uppercase, 10 digits) provides 5.95 potential bits of entropy per character; thus a 21.50-character password would provide 128 bits. You can't have a fractional character, so … 22 characters.
Typing 'tgcSq08O2fEZ5hcZk3Gvgk' in from a screen is easy enough, although not something I'd want to do every day.
Though I think 100 random characters is well beyond the point where you're no longer significantly increasing security by adding more characters. You can easily get 130+ bits of entropy with only 20 characters, and even for a ridiculously weak hashing algorithm like MD4 that'd be enough to withstand the entire combined strength of the Bitcoin mining network attacking your password for well over a billion years.
This is the solution I've come up with as well. It's saved a lot of frustration already, which builds up quickly with when you have to retype even a 16 - 20 character random password over and over again in a short period of time. I only wish for a better iOS experience and direct integration with 1Password. Oh, and a way to prevent random connections from having keyboard access if I were to forget to unplug.
> a way to prevent random connections from having keyboard access if I were to forget to unplug
Pretty sure that already exists, at least on Android. InputStick lets you set up a pre-shared AES Key and pairing PIN that you need in order to connect to the device.
Perhaps I'm overly paranoid. A public PC could be infected with god-knows-what malware that siphons off whatever that text is entered or rendered in a page or on the screen.
I wonder if there's another way to solve this problem. For example, a plug-in that would store cookies as opposed to passwords - and then "populate" a new session with existing cookies to log you in transparently.
More of a security nightmare than passwords? Maybe, though I can't see why...
Anyways, yeah I thought about binding auth cookies to some kind of persistent hash, although I'm not sure what it could be... IPs change (laptops moving), so do user agents (browser upgrades)... I guess I'll need to test this!
I do use one, which is the only thing that helps. I think my Slack fear was because a few Slack credentials weren't added when I signed up, so now I'm just afraid of Slack.
Password managers do salvage this particular trainwreck, but it's still a wreck.
Most of the time when I try that, the site's form validation complains that + is not a valid character. Very annoying. I think most of the time it's due to an over-specific whitelist, and sometimes it's due to url-escaping turning + into a space. Or maybe there's a regex and someone doesn't know how to escape literal + characters.
Yeah, I had that problem with some US govt website when applying for ESTA. I have since fixed the problem : My email is *@roblab.la, and I just put whatever the org's name as the username part of my email. So far it has worked basically everywhere, except on aliexpress, where they disallow aliexpress@EMAIL_DOMAIN. Probably to avoid people posing as staff >_>'.
So far spam hasn't been a problem (I get none). I have spamassassin set up, but it doesn't filter anything for now, just scores stuff. If it ever gets to the point where I get too much spam, I'll probably start to filter it.
I use 33mail for countering spam, and I recently switched to my own domain. So I might do organization@33mail.com, or slack@33mail.com, or organization@mydomain.com, or slack@mydomain.com, and it's a huge hassle to be trying all these combinations.
I don't really see how his scatter-brained approach to login management is any less of a problem there, or on literally any other system that uses an email as a username or a password recovery mechanism.
I'm all for using a password manager. I also think it's not user-friendly for a single application to force one to use multiple email addresses. It's unnecessarily confusing and annoying.
Slack doesn't require you to use multiple email addresses.
I log into most of my slack teams with a single email address - to log into Slack, you need a unique (slack domain + email address) combination, not a unique email address.
Of course irc doesn't, though your preferred one might not be available everywhere. But also, irc is dying a slow death in terms of user base - it's not exactly a good basis for making decisions about how to keep/attract users.
I have had a personal email, two school emails (undergrad + grad), and three work emails (internships). Most of the Slack orgs I'm a part of restrict access to emails from a specific domain (@university.edu, @company.com), so each account is associated with at least one Slack org. It's a mess, and it's because of poor design by Slack. I should have a "master" Slack account where I can list all the email addresses that I own, giving me access to all the associated orgs.
When this started rolling out it caused havoc for us. Without any warning that this was happening half of the people in our org got their display_name set to their full name, and the other half got their handle. For no apparent reason.
Within the technology parts of our org everyone knows each other by handle, and we still let people pick their own handle when they join. It's even pretty common to only know people by handle and not their real/full name. Monday morning and all of a sudden you can't ping a colleague anymore by @username, you have no idea why and now you need to know or find out what their first name is. Eventually that got fixed for everyone but it made Monday worse than usual.
I'm also not sure how this is going to interact with Enterprise Grid though. Since display names aren't unique you can get two people in a channel with the same display name. So if you now ping @John The Ripper, does it bug both, does it not go anywhere?
Some more security minded folks may have noticed that the first revision of this "feature" allowed 'slackbot' as a display name, as well as changing the icon to match.
I think I like the way HipChat does it better. @ing is suppose to be quick, if you have to click on a dialog every time you want to message someone that's going to slow you down. Hipchat just doesn't allow duplicate display names.
If I read this correctly, the "Enterprise Grid" section hints at one technical reason for this move. Slack recently announced[0] a new feature that allows multiple teams, err "Workspaces", to share a channel. This violates the uniqueness of @usernames within the namespace of the shared channel, e.g. both teams having a "@john".
This announcement anticipates (a) getting developers to use surrogate UIDs instead of @username for mentions, and (b) that their clients will only use display names in the future and rely on specific UI elements to distinguish ambiguous ones.
Twitter has some problems too. People do change their username, and every time they do, all previous tweets mentioning them by @username lead to dead ends.
If they do (I haven't verified if you're right) then that's an implementation issue. Twitters API returns rich information about every mention that shows they very well could store an association to the internal user id if they want to.
But it may very well be for good reason. E.g. lets say an account is taken over by someone who changes the account into something suitably offensive after obtaining a lot of mentions. It would seem that treating a change as basically "this is a new account now" is the safest alternative in some respects.
In general the idea of a username is slowly being killed of across the web. In the 90s when I got my first computer few would have been "crazy" enough to user their real name. The anonymity of the web back then was so much fun. Google and Facebook really started to kill that off and nowadays most sites just use an email address for a login if they are not already using your Gmail or Facebook for auth.
Requiring comments be attached to a real identity invariably does the exact opposite of what it intends to and lowers the quality of commentary. Sure, some people use the cloak of anonymity to perpetrate abuse, misinformation or low-effort participation, but the alternative has a chilling effect on potentially thoughtful commenters who don’t want to become targets.
It doesn’t really get rid of the anonymous abuse or disinformation either, because there are plenty of bots using fake social network identities out there.
The real people that do remain invariably put about as much thought into their contributions as they do into the long-term consequences of associating those comments with their real identity, or are simply so angry or strident that they don’t care.
Without real identities I would encounter islands of reason adrift in a sea of inanity. With real identities, I tend to see the loud and ignorant shouting at (or alongside) bots.
> potentially thoughtful commenters who don’t want to become targets
I almost never discuss politics, philosophy, important personal subjects or really anything of substance on Facebook. It's become purely for staking a tether to a few hundred key individuals I want to keep track of but don't need/want to talk to more than very rarely. Most of these contacts are not close friends or people I see any point in arguing with (especially after seeing the content of the most prolific posters).
Do you remember when Google actually encouraged people to use anonymous user names? [What a 180 they did!] This was the default, established early on, for good reason. It is a true democratizer, casting aside all to distinguish anyone but their words and/or choice of posts. With one stroke, it eliminates racism, sexism, ableism, name recognition bias, fashion snobbery and all other means of discrimination by appearance or public life. It also raises the bar for one to be taken seriously, as anything you say can be fact-checked immediately.
The cult of personality infecting user representation on the internet has been a tragedy to watch unfold. People would rather copy and paste words (usually out of context) from someone on a pedestal to glorify or vilify than take the extra step of vetting or responding meaningfully to what they say. I guess I should have expected it, but it's still hard not to be disappointed.
TL;DR edit-- I meandered a bit, sorry. My point is that user anonymity results in a more level playing field for discourse. Certain discussions of substance benefit greatly from this. In the world of real names, ad hominem attacks or hero worship all too easily derail productive debate. This can happen in anonymous forums as well, but from my experience it's much better corrected for in those places.
I have no idea what the product manager was thinking here... Can someone elaborate why this "feature" - which implies potentially a lot of confusion - benefits most users?
I can't help but notice that slack is starting to get "enterprise" (threaded comments, this username thingy, ... ). They seem to be introducing a lot of complexity for all of the users, while only some of them would benefit from these new features. I'm hoping that they start realizing this, and keep simple chat the default, while allowing you to opt-in for all these "handy" features...
Wow, "it's more convenient for us to scrap usernames rather than re-think our system" ... I love you Slack, and I also don't understand how you are where you are.
The best solution for the name collision problem that I've seen so far is used by Discord and Battle.net, both in the gaming space where username is often much more prominent than the real name.
You can set your username to whatever you want (e.g. "jakebasile"). You then get a randomly assigned four digit number appended to the end (e.g. #5024). To add someone as a friend, you need the full username#0000, but thereafter it is not needed. To mention someone in a chat (in Discord) you type @ and then start typing - it will match on either the user name or display name, but only complete the user name. The key is that when you actually send the message it will show that user's display name in chat and notify them as you'd expect. Display names in discord can be overridden at the server level and in Battle.net games there is the concept of Real ID instead which you can choose to share your real name on a per person basis.
In both of these situations you are only using one account and one username across either multiple games or multiple servers. This avoids having to use many different accounts within the same application which is one of my primary gripes with Slack.
So, they're making things more annoying for most uses I have for Slack, without providing any benefits for the uses I have for Slack (I get that it may provide some benefit for others).
Sounds like it's time to say a lingering farewell to Slack.
One e-mail linked to: many organizations and many channels, each with your own customizable display name. I think that's the ideal, is this where they're going with it?
If so, it does not at all fit my use cases for Slack.
1. Like with LinkedIn I need to be able to use multiple e-mail addresses, but the current system of having to log in separately to each account is a mess.
2. I want to be able to quickly mentioned people based on a username without having to go via a disruptive dialog box. Not least because I want to be able to mention people outside Slack and have integrations find the right person.
Display names are nice as an addition, but not as a replacement.
Sad to see this go... We use @username from external systems that feed into Slack. For example, putting a comment on a Zendesk ticket using @username alerts a person who would normally never pop into Zendesk to have a look.
If you're feeding Slack with Zendesk now, try putting an internal comment on a ticket with the @. Oh, and since Zendesk forced everyone to the rich-text client you need to escape out of the automatic name selection dropdown or it will show up in Slack as @username which does not trigger the mention.
I don't fully understand what's changing: Slack always had the option to set a "real" name. Is it simply going to transparently translate the name token within messages to whatever preferred representation an organization choses? If so, why is this being presented as "the death of the username"? Or is it more complicated than this? (Perhaps an accommodation to integrate with existing directory systems in larger corporate environments?)
Does Slack feel like having usernames somewhat visible and end-user facing makes the product "too nerdy" for a general audience?
what the heck? this is the stupidest move I've ever seen from Slack. Combine this with a lack of using floating windows (like Messenger on Android) and it's clear that the company is run by operations and sales --- not product. There is clear space to move in on Slack's terroritory
>Combine this with a lack of using floating windows
Floating windows? As if they are supposed to be good stuff?
Floating windows and MDI UIs have been phased out in most OSes, apps and GUI toolkits in the last decades favor for far more stable and intuitive docked sidebars and toolbars.
Edit: Is what I wrote inaccurate? Or it's just fans of floating windows voting this down?
Not only are they phasing out @username, they are removing the very simple /msg username – I now must type /msg @username and hit enter twice to initiate a DM. It's annoying.
On Mac if you hit CMD+T you can just start typing a username (or channel name) and as soon as it's selected, hit enter once. That's how I navigate around Slack.
They also removed your username/display name from your default highlight strings. We often just use names with no @, and this week we noticed that other people were no longer getting pinged for those. Now you have to go to your preferences and explicitly add your display name to the list of strings you want to be notified about.
I don't understand what they mean by "Unfortunately, an undocumented approach to mentioning users — <@username> — no longer functions. Please reference with the user ID format (<@U123>) instead".
Surely they're not saying slack users need to manually type opaque numeric identifiers to properly mention other users? That would be ridiculous.
Ah I see. Yeah, still not a fan. As someone else mentioned in the thread, some bots are mainly integration, shuffle content from one system to another. This will break mentions in IRC gateways for instance, no? Or, something Slack might care more about, make it a lot harder to have a mention in a ticketing or project management system trigger a mention in a Slack message.
Yeah it’s definitely a pain. I support a bot that we use for devops and I’m already going through and doing a search/replace op in our commit messages that get posted into slack.
Seems like this is a classic ‘push the work downhill’ thing they’ve done that just costs all the devs who write slack apps.
I have multiple email addresses and don't use a specific one every time, so I have managed to lock myself out of many orgs because I just can't remember which email address I used.
If you click the "forgot my email" link, they go "have you forgotten which email address you used to log in to which org? Just tell us your email address and we'll tell you which orgs it's logged in to", which is exactly the opposite of what I want!
It's such a clusterfuck that I just avoid joining new orgs nowadays because I know I'll never be able to log in again.