this post was submitted on 13 Mar 2026
425 points (98.4% liked)

Programmer Humor

30322 readers
3210 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
anzo@programming.dev
Feyter@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
425
I love password based login (lemmy.world)
submitted 4 hours ago by bdjegifjdvw@lemmy.world to c/programmer_humor@programming.dev
64 comments fedilink hide all child comments
 
top 50 comments
sorted by: hot top controversial new old
[–] killabeezio@lemmy.world 1 points 4 minutes ago

There are a few reasons for this.

  1. Conversion rates are higher and the majority tend to prefer these over passwords
  2. When you have to reset a password, you typically have to send an email anyway.
  3. It's technically safer because they are short lived tokens and if someone's password gets compromised, their token cannot.

It's not a perfect system by any means, but it's better than the shit implementation of passkeys and it's generally better than passwords for most users.

I prefer passwords over links and codes, but I get it.

[–] criticon@lemmy.ca 19 points 1 hour ago (1 children)

Or worse:

Use email link -> use password instead

Enter password

Now enter the code that we sent you your email...

[–] ulterno@programming.dev 7 points 1 hour ago* (last edited 1 hour ago)

2 factor authentication, only when you feel like it.

They might as well be piping the password to /dev/null

[–] LiveLM@lemmy.zip 43 points 2 hours ago* (last edited 2 hours ago) (3 children)

The best I've seen was yesterday where a website had the log-in button greyed out after the password manager filled my creds in.
So I had to manually click both the email and password field. Just click them. Then it enabled the log-in button.
So someone took their time to write a piece of JS that said "If the user hasn't focused both fields at least once, no login". Literally why? Extra code that does nothing useful.

I was hoping passkeys would be the solution to this madness, but it seems to me the entire spec gives too much power to the OS Makers and too little to the users because "mUh AtTtEsTatIoN" so now I don't know anymore

[–] TheSeveralJourneysOfReemus@lemmy.world 1 points 19 minutes ago

the user must be a human, so i imagine that being the rationale.

[–] Gumbyyy@lemmy.world 13 points 1 hour ago (2 children)

I've definitely run into that. Even more frustrating is when there was one particular site that forced me to actually delete the last character of my password and then retype it. Just focusing in the field wasn't enough, I had to actually send it a keystroke. And Ctrl-V to paste the password in manually didn't count. I suppose typing a random character at the end and then deleting it would have worked too.

[–] towerful@programming.dev 2 points 30 minutes ago

When ctrl+v is disabled to "prevent brute force bots" or something ridiculous

[–] Jessica@discuss.tchncs.de 3 points 1 hour ago

I used to have this problem with the payroll website ADP! So cursed

[–] spizzat2@lemmy.zip 8 points 1 hour ago

My utitlies website doesn't let you login if the password field is autofilled by the browser. Whatever Angular-based form validation they are using doesn't play nice with Firefox's saved password feature. You have to manually type something in the password field, so I always add and remove a space from the password.

I sent an email to their support, hoping they would fix it, but they just responded saying that they can't reproduce it.

Well, I can reproduce it. I even told you how. That sounds like a skill issue.

[–] paequ2@lemmy.today 25 points 2 hours ago (1 children)

God I hate those stupid magic links. They're WAAAAYYY slower than just using my password manager.

AND they kinda contribute to locking you into Big Tech. I sometimes have problems with those stupid links because I don't have a Gmail account. Somewhere along the stupid chain there's probably some stupid check that delays or blackholes emails to non-big-tech domains.

[–] definitemaybe@lemmy.ca 3 points 2 hours ago (1 children)

Based.

Email is terrible. It's an unreliable communication system. You cannot depend on sent emails arriving in the recipient's mailbox—even the spam folder.

People indirectly assume that all emails at least get to their spam folder. They don't. There are multiple levels of filters that prevent most emails from ever making it that far because most email traffic is bots blasting phishing links, scams, and spam. Nobody wants phishing and scam emails, but the blocks that prevent those are being used by big tech to justify discriminating against small mail servers.

I can't remember the site, now, but I literally couldn't log into one this week because the email never arrived.

[–] balsoft@lemmy.ml 1 points 59 minutes ago

I can’t remember the site, now, but I literally couldn’t log into one this week because the email never arrived.

Well, email allows you to solve that issue by self-hosting. But what you can't solve is that if you do self-host, gmail will drop your emails to spam or just discard them completely, just because it feels like it, even if you do the whole dance with DMARC and have used the domain for a good few years. It's frustrating as shit.

[–] maniclucky@lemmy.world 3 points 1 hour ago

Worst one I've seen: username and password plus a 2FA email, BUT if you hit enter instead of clicking the last button it refreshes the page.

[–] MaggiWuerze@feddit.org 122 points 4 hours ago (5 children)

Also This strange trend to split username and password on to two separate pages, or only showing the password field after confirming the username

[–] bobo@lemmy.ml 20 points 3 hours ago (1 children)
  1. Username
  2. Password
  3. MFA
  4. Do the whole process all over again because the remember this device is on step 2 and it's impossible to go back

Bonus stage 0: special login URL decided to crap out, and going back to any point in history automatically redirects to the error page that you can't use to log in, so you need to keep going back and trying to copy the URL before it redirects becausw Firefox interprets pressing "stop" as "do whatever you want idk"

Fucking aws...

[–] Sabata11792@ani.social 6 points 2 hours ago

You forgot step 2.5: incorrectly identifying stoplights 6 times in a row.

[–] neidu3@sh.itjust.works 45 points 4 hours ago* (last edited 4 hours ago) (3 children)

Not that strange. Different users may belong to different groups which may have different authentication backends. The associated authentication method is brought up once a username has been provided.

[–] lime@feddit.nu 18 points 3 hours ago

if your choice of api route directly affects your auth flow something is very wrong.

[–] atomicbocks@sh.itjust.works 4 points 2 hours ago

You can do that as part of an OAuth workflow. You don’t need to have them on separate pages for that to happen.

[–] paraphrand@lemmy.world 3 points 2 hours ago

Yes, but, it also lets them slurp up email addresses. Routing users is legit tho.

[–] IcedRaktajino@startrek.website 30 points 4 hours ago* (last edited 4 hours ago)

And the auto-submitting TOTP entry form where you're apparently not allowed to make a typo. And obscuring the TOTP number like it's a password or state secret.

[–] bamboo@lemmy.blahaj.zone 20 points 4 hours ago (1 children)

This is because of Enterprise Single Sign On. You can try this for yourself by going to https://gmail.com/ and enter the email of a public person at a large org, for example the CEO of Doordash (tony@doordash.com). After you enter the email, you get sent to Doordash's employee portal to authenticate. Based on the email you provide, Gmail has to figure out if you need to provide a password to gmail itself or if the email authenticates another way.

[–] Jesus_666@lemmy.world 7 points 2 hours ago (1 children)

It's not like you can't add a "Log in with your company's SSO" button to the form. That works just fine and at least Microsoft does something like that.

[–] bamboo@lemmy.blahaj.zone 3 points 2 hours ago (3 children)

Not sure I'd take design inspiration from Microsoft of all places. Also https://login.live.com/ has the same workflow email -> continue -> password. Not sure where you're seeing Log in with SSO option.

[–] Gumbyyy@lemmy.world 1 points 1 hour ago

I see the Login with SSO option all over the place. Of course, that assumes the users actually understand what that means, and they know whether or not they need to click it.

load more comments (2 replies)
load more comments (1 replies)
[–] baller_w@lemmy.zip 2 points 26 minutes ago

Passkeys or oauthn/fido. I just can’t believe we’re still talking about passwords in 2025 when these very robust, user friendly features have been widely available for years.

[–] lung@lemmy.world 44 points 4 hours ago (8 children)

HEY BUT DO YOU WANT TO USE A PASSCODE?? PASSCODE! PASSCODE! USE THE PASSCODE! -_-

load more comments (8 replies)
[–] HuntressHimbo@lemmy.zip 20 points 4 hours ago (2 children)

Ah but you see it's one factor of authentication that also conveniently loops in whichever email provider is spying on you

[–] LedgeDrop@lemmy.zip 1 points 1 hour ago

Ding! Ding!

This is the real answer: mail providers get to track you, your service get constant confirmation that your email is live (so they can send more ads from themselves plus their 400 closest affiliates). It's a win-win situation for everyone /s.

"The ~~beatings~~ enshitification will continue, until moral is improved."

load more comments (1 replies)
[–] Assassassin@lemmy.dbzer0.com 15 points 4 hours ago (2 children)

Just let me use passkeys at this point. The way that people typically use passwords is less secure anyway, why not just make it as simple as possible?

[–] Anafabula@discuss.tchncs.de 6 points 2 hours ago (1 children)

I would love to use my physical Yubikey, but all the websites I've seen that allow passkey login always deny both Yubikeys.

[–] Assassassin@lemmy.dbzer0.com 1 points 39 minutes ago

That's a shame, yubikeys are a really neat tool. I've considered picking one up so many times

[–] bleistift2@sopuli.xyz 10 points 3 hours ago (4 children)

I forget. Are passkeys the access method that prevents you from logging in ever again if you lose access to a device?

[–] Assassassin@lemmy.dbzer0.com 11 points 3 hours ago (1 children)

Typically, no. You're thinking of TOTP/Authenticator based 2FA. Those still come with backup codes in case you break the phone that has the TOTP codes warehoused. I always recommend keeping those backup codes saved in the notes of whatever password manager you're hopefully using.

Passkeys are essentially just one half of a cryptographic key pair (like what you'd use for authenticating SSH without passwords). These allow you to authenticate once using password + 2FA, then use the generated passkey for future sessions. Since these are much more complex than passwords and remove the need to actually remember anything, they are significantly more secure.

There are also some other features that I'm forgetting, and that may not be a perfectly accurate description, but I think you can get the gist.

[–] Jesus_666@lemmy.world 6 points 2 hours ago (1 children)

Passkeys are supposed to be bound to one device and protected by that device's OS's secure enclave. If you have a second device you're supposed to create a second passkey.

That's why many sites will flat out refuse to let you create a passkey with a desktop browser since a PC-stored passkey doesn't fit the security model.

[–] Assassassin@lemmy.dbzer0.com 2 points 2 hours ago

Yeah, that's how I understood it to work, as well. I didn't mention it because I've seen a bunch of different implementations that don't seem to work that way. I didn't want to speak too much on that specific point, since I don't have a very thorough understanding of it.

[–] 4am@lemmy.zip 3 points 2 hours ago

Only if you use the OS built-in saving.

Most password managers support them at this point, making them portable and secure.

[–] bdonvr@thelemmy.club 2 points 2 hours ago

No? My password manager holds them so they are available everywhere...

load more comments (1 replies)
[–] justOnePersistentKbinPlease@fedia.io 1 points 1 hour ago

But if they don't get an active email and/or phone number.

How can they then turn around and sell that to info brokers and spammers.

[–] manxu@piefed.social 4 points 3 hours ago

It feels like the factors of authentication discussion misses one important aspect: can the factor be replayed. Passwords can be replayed indefinitely, while the email links you get or the OTP token only work for a short period of time.

I remember it from the bad days when I used LastPass. Suddenly I got a notification that the place had been compromised and I had to suddenly change hundreds of passwords. 90% of them were for sites that didn't even exist any longer, but sifting through the long, long list to go change passwords was more work than I wanted to do.

Don't have to do that if I need to use a one-time token via Aegis or email! I do agree, though, that for low risk sites, username/password is totally fine.

load more comments
view more: next ›