[StavrosK]

Slack's authentication flow is the dumbest I've ever had the misfortune of using. I'm a member of multiple Slack organizations, and it needs one login per organization. I can't just have a single email address and join whatever org I want, I have to remember which email address I used for each one, otherwise I can't log in!

I have multiple email addresses and don't use a specific one every time, so I have managed to lock myself out of many orgs because I just can't remember which email address I used.

If you click the "forgot my email" link, they go "have you forgotten which email address you used to log in to which org? Just tell us your email address and we'll tell you which orgs it's logged in to", which is exactly the opposite of what I want!

It's such a clusterfuck that I just avoid joining new orgs nowadays because I know I'll never be able to log in again.

[xlii]

Have you tried using password manager?

The one I'm using has capability to store multiple logins for the same site with easily-searchable notes (i.e. Displayed in pop up when on site).

For some sites I have like 20 sets of credentials and I never had a problem with keeping up with them.

[benrbray]

Password managers don't help when you need to log in to a computer you don't own, e.g. a public computer at a library or office. Using password managers just makes it easier to lock yourself out when you need access most.

[octalmage]

You've got web interfaces and mobile apps. I use 1password and don't have this problem.

[brandon272]

I have no interest in logging into a password manager web interface on a public PC. (But that's just me.)

[phdp]

You don't. You pull up your password on your phone and type it in manually onto the computer.

[darylfritz]

> You pull up your password on your phone and type it in manually onto the computer.

Sounds like someone isn't using a 100-character randomly generated password.

[brandon272]

Parent poster said "web interfaces"

[darylfritz]

Thanks to 2FA, I don't have a huge concern logging into a password manager on a public PC.

[brandon272]

Perhaps I'm overly paranoid. A public PC could be infected with god-knows-what malware that siphons off whatever that text is entered or rendered in a page or on the screen.

[tomp]

I wonder if there's another way to solve this problem. For example, a plug-in that would store cookies as opposed to passwords - and then "populate" a new session with existing cookies to log you in transparently.

[y4mi]

that sounds like a security nightmare...

talking from experience: some sites also map the cookie to a browser id, making a migration useless. It just causes your session to get invalidated.

You can test this yourself because its pretty easy to 'import' cookies between browsers on the same pc. or it was the last time i tried it.

[tomp]

More of a security nightmare than passwords? Maybe, though I can't see why...

Anyways, yeah I thought about binding auth cookies to some kind of persistent hash, although I'm not sure what it could be... IPs change (laptops moving), so do user agents (browser upgrades)... I guess I'll need to test this!

[StavrosK]

I do use one, which is the only thing that helps. I think my Slack fear was because a few Slack credentials weren't added when I signed up, so now I'm just afraid of Slack.

Password managers do salvage this particular trainwreck, but it's still a wreck.

[adekok]

Many email systems support username variants. If you have "username@gmail.com", you can do:

    username+organization@gmail.com

as your slack login. I do this all of the time.

Why remember things when you can have a formula to determine which username to use?

[DougWebb]

Most of the time when I try that, the site's form validation complains that + is not a valid character. Very annoying. I think most of the time it's due to an over-specific whitelist, and sometimes it's due to url-escaping turning + into a space. Or maybe there's a regex and someone doesn't know how to escape literal + characters.

[roblabla]

Yeah, I had that problem with some US govt website when applying for ESTA. I have since fixed the problem : My email is *@roblab.la, and I just put whatever the org's name as the username part of my email. So far it has worked basically everywhere, except on aliexpress, where they disallow aliexpress@EMAIL_DOMAIN. Probably to avoid people posing as staff >_>'.

[qw]

I tried that too 15 years ago, but had to stop after a year. It turns out many spammers send mails to random usernames

[roblabla]

So far spam hasn't been a problem (I get none). I have spamassassin set up, but it doesn't filter anything for now, just scores stuff. If it ever gets to the point where I get too much spam, I'll probably start to filter it.

[StavrosK]

I use 33mail for countering spam, and I recently switched to my own domain. So I might do organization@33mail.com, or slack@33mail.com, or organization@mydomain.com, or slack@mydomain.com, and it's a huge hassle to be trying all these combinations.

[im3w1l]

That does sound pretty annoying, but it seems the simple solution from your end is to have a system for how you generate logins.

[pdwetz]

I think the point is that he's avoiding the product rather than change his process, and that he's hardly the only one.

[pavel_lishin]

Does he avoid banks, too?

I don't really see how his scatter-brained approach to login management is any less of a problem there, or on literally any other system that uses an email as a username or a password recovery mechanism.

[pdwetz]

I'm all for using a password manager. I also think it's not user-friendly for a single application to force one to use multiple email addresses. It's unnecessarily confusing and annoying.

[pavel_lishin]

Slack doesn't require you to use multiple email addresses. I log into most of my slack teams with a single email address - to log into Slack, you need a unique (slack domain + email address) combination, not a unique email address.

[sova]

I think most people would avoid banks if they had the option. Slack is not something that came along thanks to the Federal Reserve Act in 1913

[hprotagonist]

"irc is dumb! every server requires a different nick, wth?"

[vidarh]

Of course irc doesn't, though your preferred one might not be available everywhere. But also, irc is dying a slow death in terms of user base - it's not exactly a good basis for making decisions about how to keep/attract users.

[sova]

"IRC is just multiplayer notepad"

[abtinf]

I am in a number of different slack orgs. With one email address, I join whatever org I want.

> I have multiple email addresses and don't use a specific one every time... I just can't remember which email address I [use]

I think I see the problem. I'm not sure how this approach allows you to function on the internet at all.

[benrbray]

I have had a personal email, two school emails (undergrad + grad), and three work emails (internships). Most of the Slack orgs I'm a part of restrict access to emails from a specific domain (@university.edu, @company.com), so each account is associated with at least one Slack org. It's a mess, and it's because of poor design by Slack. I should have a "master" Slack account where I can list all the email addresses that I own, giving me access to all the associated orgs.

[AndrewKemendo]

That's great as long as whomever is inviting you doesn't have password requirements (aka no gmail etc...) which some of them do.

For example I have three slack channels: 1. Our Company 2. 500 Startups 3. The information

Each had different requirements so they all needed a different handle - even if I was using the same email.

It should be Single Sign On.