
Your Password Complexity Requirements Suck - stevepaulo
https://medium.com/302-found/your-password-complexity-requirements-suck-7934c4e4b295
======
gerdesj
"like 15 minutes from the login attempt, and randomly generate a string for
the token itself. Send a link to the user, when they click it, find them by
the token, and log them in."

Many common greylisting schemes will delay for 15 minutes or more.

Don't (ab)use email for something it was never designed for: instant delivery
of a token. email will get the message through eventually - that is what it is
designed to do but nowadays it has to run through of a lot of filtering and
you are asking people to have squeaky clean SPF/DKIM and probably DMARC and
also have to consider DNSSEC and lots of other things.

email is still bloody good for message delivery but you are asking for
administrators of an auth/auth system to become email sysadmins.

