Hacker News new | past | comments | ask | show | jobs | submit login

Credential stuffing would be a much less effective strategy is web apps went back to string-based usernames, and not email-based ones.

Also, I hit CTRL-F on this post for the term "portable", and I got zero hits. Both passwords and SSH keys are trivially portable. Not so much with WebAuthn passkeys.




Hopefully it shouldn't take much to get there. Bitwarden/Vaultwarden already allows exporting the private key and (as far as I can tell) all other metadata required by another implementation to import them.


Let's please not. Password recovery flows are hard enough to get right and usually suck; adding username recovery on top of that doubles the opportunity for locking legitimate users out.


I don't know if I agree about the level of risk here. All password managers store passwords AND usernames.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: