Hacker News new | past | comments | ask | show | jobs | submit login

I was three tweets in before I realized what their username was.

I don't care if these tweets are real or just someone trolling. This is true art.




Definitely trolling, but there is someone out there reading this and saying "hmmm, this makes sense"


Is it tho? Show me the attack vector that makes this model dangerous. Not inconvenient because somebody else messed with your highscore or marked some of their tutorial videos as watched. But "oof I have to call my bank", "I have to tell people that wasn't me", "let me make a photocopy of my id so that I can proof its me" dangerous.


The only reason it's less dangerous is their service isn't protecting or offering anything of value.

If they had no password at all, and anyone could log into anyone's account with just a username, you could still make the claim that their threat model was only, "that's inconvenient, someone messed with my account." Heck, if every third time you tried to log in, you were automatically logged in under another person's account, you could still make the argument that their threat model was low.

But that wouldn't mean their security policy was good.

Their decision not to store much data has nothing to do with the terrible way they are storing and managing the data that they do collect. They're arguing that hashing passwords would require them to store more sensitive information. That's like arguing, "I can't lock my door, because then I would need to put more valuables in my house." The two decisions aren't related.


Yeah exactly, but for this particular usecase the "token based login" seems to be the best tradeoff between complexity and requirements.

They seem to have put the effort elsewhere, e.g. keeping their system devoid of billing and credit card info. Something a lot of shops that salt and do multi round scrypt hashing probably don't, because even though they do follow best practices, they don't actually think about security.

Would I have built it with hashing and automatic keygen on reset? sure! But this thing seems good enough tm.

Security isn't something where one solution fits all, otherwise everything thats low stakes like this (homework, guitar notes collection, my dogs homepage) gets the same security best practices as the hight stakes stuff (medical, financial, social).

I'd rather have this hacked together in php, but my bank run idris code, and my kitchen robot run haskell, than everything using node with scrypt hashed JWT.


The main weakness I see is that they're still showing the user the generated password. That means the user could reuse that generated password on another site. /s

I expect a followup thread:

"It is for this reason why we neither send you the password, nor ask for it during login."




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: