Ah but you see it's one factor of authentication that also conveniently loops in whichever email provider is spying on you
this post was submitted on 13 Mar 2026
574 points (98.3% liked)
Programmer Humor
30341 readers
2051 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 2 years ago
MODERATORS
Of course. How would Microslop or Google LLMs snoop on your data then? You guys really make no effort.. /s
load more comments
(1 replies)
But if they don't get an active email and/or phone number.
How can they then turn around and sell that to info brokers and spammers.
Just let me use passkeys at this point. The way that people typically use passwords is less secure anyway, why not just make it as simple as possible?
I forget. Are passkeys the access method that prevents you from logging in ever again if you lose access to a device?
Only if you use the OS built-in saving.
Most password managers support them at this point, making them portable and secure.
Typically, no. You're thinking of TOTP/Authenticator based 2FA. Those still come with backup codes in case you break the phone that has the TOTP codes warehoused. I always recommend keeping those backup codes saved in the notes of whatever password manager you're hopefully using.
Passkeys are essentially just one half of a cryptographic key pair (like what you'd use for authenticating SSH without passwords). These allow you to authenticate once using password + 2FA, then use the generated passkey for future sessions. Since these are much more complex than passwords and remove the need to actually remember anything, they are significantly more secure.
There are also some other features that I'm forgetting, and that may not be a perfectly accurate description, but I think you can get the gist.
Passkeys are supposed to be bound to one device and protected by that device's OS's secure enclave. If you have a second device you're supposed to create a second passkey.
That's why many sites will flat out refuse to let you create a passkey with a desktop browser since a PC-stored passkey doesn't fit the security model.
Yeah, that's how I understood it to work, as well. I didn't mention it because I've seen a bunch of different implementations that don't seem to work that way. I didn't want to speak too much on that specific point, since I don't have a very thorough understanding of it.
load more comments
(2 replies)
No? My password manager holds them so they are available everywhere...
Yes
load more comments
(2 replies)
There are a few reasons for this.
- Conversion rates are higher and the majority tend to prefer these over passwords
- When you have to reset a password, you typically have to send an email anyway.
- It's technically safer because they are short lived tokens and if someone's password gets compromised, their token cannot.
It's not a perfect system by any means, but it's better than the shit implementation of passkeys and it's generally better than passwords for most users.
I prefer passwords over links and codes, but I get it.
load more comments
(1 replies)
My email uses greylisting which is where the first email received from a server gets a "busy" response - the idea being that spammers just fire and forget whereas real mailers will retry.
Unfortunately, some senders take so long to resend that it's timed out. The second time will work though. Unless they have multiple servers. Some have so many servers that you have to do this a multitude of times until you lose the will to login or forget what you were going to do anyway.
It feels like the factors of authentication discussion misses one important aspect: can the factor be replayed. Passwords can be replayed indefinitely, while the email links you get or the OTP token only work for a short period of time.
I remember it from the bad days when I used LastPass. Suddenly I got a notification that the place had been compromised and I had to suddenly change hundreds of passwords. 90% of them were for sites that didn't even exist any longer, but sifting through the long, long list to go change passwords was more work than I wanted to do.
Don't have to do that if I need to use a one-time token via Aegis or email! I do agree, though, that for low risk sites, username/password is totally fine.
load more comments
(1 replies)
I can imagine that the sites want to validate that you still have access to the email associated with the account, and asking people to check their settings is annoying, and they know no one will do it. I can also imagine that sites want to know as much about you as possible, don't want you to be using burner email addresses, and are probably selling the fact that your email address can still receive email to marketing firms who compile that info.
Annual/routine email verification fills that need, though. For the sites i do support desk for, an email verification link is sent during account creation and then annually. If the email address is not verified then on login the account holder is prompted to either resend the verification link or change it and verify the new email.
Hearing this in Spongebob's voice is amazing!
The amount of security threat encouragement in these comments is impressive.
Passwords are quite insecure and people write them down on shit and forget them, I vastly prefer it too, but they're going to die out, probably rather soon, so be prepared.
I weirdly don't mind the email method. I don't like copy pasting my passwords because I feel it's less secure than typing it out.
Now I wouldn't mind if it was an option.
That’s why you use password managers.
No need, just use Forgot Password for every login. No password manager needed /s
Dad? Is that you?
I do use them, I don't use them for auto complete.