Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You missed their point, they might not want to carry a smartphone and 2FA requires you to _have_ something.


You missed their point, accessing a website also requires you to have _something_, namely a device with a browser. If you have a device with a browser, then you have a device with a password manager.

Unless you only access that site via public infrastructure like a library, but that might not be infrastructure that you want confidential information to run over, because everybody and the milkman has access to it. And even then, 1Password for example also has an online version that you can access in those cases.


> You missed their point, accessing a website also requires you to have _something_, namely a device with a browser. If you have a device with a browser, then you have a device with a password manager.

My point from the root of this tree was that I do not want to make a shit travel (github asks me to prove identiny by mail > gmail asks me to prove my identity by phone > my phone is somewhere else because I am not addicted to it) just to have an ability to use my github from web-interface. If I can successfully use my bitcoins without any 2fa/totp security theater than github is just shitting me with no good reason for me and for my helloworlds collection.

Probably just saving cookies solves the problem of the shit travel, but since every few hours session of browsing makes me to store tens megabytes of cookies with no value to me (except of not un-logging from github) I use to clear all cookies every time I close my browser.


You are probably not lazy enough ;). I even hate to generate a password for a site. Having to open an authenticator app is too much of a hassle to be worth it for many sites. And it doesn't really make sense if the second factor is available on the same device...


2FA is about _proving_ you have something. For someone else to prove they have that same thing they have to physically steal it from you and possess it at the time of authentication.


No, you missed the point that the point was pointing to.

A paasword manager is also "your brain". A website can be happy with just a password.

For crying out loud, people don't need 2fa for a knitting forum!


The password manager being 'your brain' implies that you have only a hand-full of passwords... my brain has no way of remembering 1000+ passwords and logins, while I prefer to use random usernames and passwords. Sure, I don't need 2fa for a knitting forum, but I still need something to remember my login and password... try to never re-use either.


I have two categories of passwords. One for knitting forum class, and one for password manager class.

No, it isn't a crisis if someone gets my credentials to the knitting forum, the pics of acrons forum, and the local 'reserve space at the county pool' website... all in one go.

I can just change them all at once, from the letter 'a' to the letter 'b'.


To further support your argument, I'd suggest that requiring a login at all for this class of "service" is bullshit.

I've set the bar pretty low these days for "if you require a login, I go somewhere else" because there are plenty of places that just don't need it in my opinion.

To be honest, I class Twitter as one of those places; I go there to read certain information from specific "outlets" but Twitter as we all know have made it very difficult (as with other social sites of this type) to be read-only.


> If you have a device with a browser, then you have a device with a password manager.

I dispute that. Does the Nintendo Switch have a password manager?


Yes. 1Password works via the browser as I mentioned.


I would not trust and/or bind to online services that much.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: