zlacker

[parent] [thread] 3 comments
1. jgalt2+(OP)[view] [source] 2024-12-27 15:06:58
Credential stuffing would be a much less effective strategy is web apps went back to string-based usernames, and not email-based ones.

Also, I hit CTRL-F on this post for the term "portable", and I got zero hits. Both passwords and SSH keys are trivially portable. Not so much with WebAuthn passkeys.

replies(2): >>lxgr+91 >>lxgr+J2
2. lxgr+91[view] [source] 2024-12-27 15:14:27
>>jgalt2+(OP)
Let's please not. Password recovery flows are hard enough to get right and usually suck; adding username recovery on top of that doubles the opportunity for locking legitimate users out.
replies(1): >>jgalt2+447
3. lxgr+J2[view] [source] 2024-12-27 15:22:12
>>jgalt2+(OP)
Hopefully it shouldn't take much to get there. Bitwarden/Vaultwarden already allows exporting the private key and (as far as I can tell) all other metadata required by another implementation to import them.
◧◩
4. jgalt2+447[view] [source] [discussion] 2024-12-30 14:55:49
>>lxgr+91
I don't know if I agree about the level of risk here. All password managers store passwords AND usernames.
[go to top]