Hacker News new | past | comments | ask | show | jobs | submit login

For sensitive sites like this, users should not be given the option to use the same username/password as other websites: The username should be issued by the site in the form Sally379687 or Fred965912

What Namecheap do is better - two-factor authentication. usernames are not meant to be secret, and forcing users to look up a username as well as a password is going to be annoying.

Off-topic, I switched to Namecheap (from GoDaddy) a couple of years ago, and have been impressed. Things like two-factor auth and being aware of and publicising this attack are all signs of a good corporate citizen doing things right.

It would only be better if namecheap mandated two factor authentication.

Giving the user the option to use poor security is like a bank that lets its customers decide what bank vault to install, then blames its customers when they are robbed.

Define "sensitive site". Any email provider, if it's your main email account would qualify as very sensitive. However, people also have myriad junk accounts. As soon as you start to enforce this sort of thing you limit who's going to sign up.

I've got accounts with two brokers. One has good tools which I can use with simulated ledgers but won't manage SIPPs. It has a crap password which I can remember and bang in whenever I want to check performance. The other's password is in KeePass and requires a small but significant effort to access. You could argue that the former doesn't want my "business" but if they started handling SIPPs or if I start doing some speculation I'd convert instantly. Is my low level leeching worth an instant convert?

Then people are just likely to write it down, or forget it, etc. Need to provide for humans too :)

But that's fine: having users write it down and/or forgetting it is better than having them compromise their security.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact