Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What is your online login/password preference?
3 points by hepennypacker 10 days ago | hide | past | favorite | 1 comment
I'm a solo developer building a consumer website in which users must log in to access the content. I'm curious what your preferences are for website log-ins.

Assumptions: - Security is important. It would be bad if a malicious party gained access to emails and passwords, since people often reuse passwords across sites - I am not highly-skilled in web security (not my background) - Companies, such as Google, can do security better than I can

Options I see: 1. Do it all in-house. Users create an account with a log-in and password, which I store and secure. 2. 3rd part log in, such as Google. Users log in with their Google account, and I don't store any password data. 3. "Magic Link": when users want to log in, they receive an email with a link to log into the site. I also don't store any passwords.

#2: It seems some people don't like using these. Reasons could be: not trusting my site, wanting to create throwaway accounts, not having a Google or other 3rd party account at all.

#3: I like these, but it adds a step where users leave the site. It also seems that relatively few websites use this style of authentication?

#2 and #3 also reduce ease of use, since users won't be able to use a password storage application such as LastPass. They'll always have to go through additional steps (clicks) to log in.

I think the end result is some combination of these, but not all 3. It would be helpful to hear your perspective: if I'm overestimating the difficult of securing password data, what tradeoffs I should consider, personal preferences on the above, and any options I may have missed. Also wondering if 2FA is an absolute must for this type of site.

Also note: I do payment processing via Stripe, and don't store credit card info in my databases. The most financial damage someone could do on my site would be to purchase a single monthly subscription. Of course, there is a greater risk if people use the same email and password log in as they do for their banking, for example.

I don't like services that send you a login link to your email, because if you can't access your email (for whatever reason), you can't login.

I should be able to use a diceware passphrase instead of a login requiring I use a combination of uppercase, special symbols, etc. Passphrases are harder to crack if the database got breached (providing the passwords are hashed and not stored in plaintext).

Also: TOTP is nice, but provide an option for U2F/Hardware 2FA and always provide a recovery code incase your user loses their Yubikey/Hardware token.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact