[alias_neo]

I see you're being downvoted, but I see your point. Twitter has so little value to me, I don't see the point in requiring the extra security (for me).

I guess if you're some sort of public figure it might be, but selling blue badges to anyone kinda destroyed any credibility it had as a platform for those people.

[john_the_writer]

I have a pile of accounts that I really don't care about. I joined a harmonica group about 10 years ago. My password is something like asdf1234, because really if someone pretends to be FAKE_NAME_123 on a harmonica site, I'm cool with it.

Twitter is about there for me. If someone took over my account, Meh. I'd just create a new one. It's not tied to a real email anyway. I actually think I'm on my 3rd one now. Because I forgot which email I used to sign up.

[eimrine]

I remember the good old days when a lot of forums used to have a test/test account, and I also used to register some accounts with "test" login and "test" passwords for the sake of convenience for future folks who obviously will be wanting just to download something and forget about the website.

[fmajid]

BugMeNot.com

[sam_lowry_]

As a 2nd reason not to use 2FA is the "privatization of authentication".

Previously you had only the login and the password. Now, you need a phone and likely probably an app on the phone.

This whole push for 2FA is actually a push against individual password managers where users generate long cryptographically secure passwords.

[kemotep]

Bitwarden, and keepassxc, support adding TOTP tokens to an account entry. Allowing you to only use the password manager for authentication, no secondary device or application necessary.

[eimrine]

The world is too complicated for me to learn about how TOTP works, who supports it, how smartphones work, how password manager works, etc. All I want is an ability to use login/password with neither extra knowledge nor extra property nor having extra installed software (cookies, password manager) on the computer I am accessing the website from. Let 2FA will remain for those who really want it as it was 10 years ago.

[kemotep]

And that is important. Usability and simplicity is important for adoption. Every security layer we add does in fact strip away a layer of convenience.

In my opinion, learning to use a password manager has effectively eliminated dozens if not hundreds of passwords and user names that I would have had to remember and all I need to remember is my one password manager password and everything gets copied and pasted in automatically. Even easier on my phone with FaceID unlocking the vault.

But it is still a complication and disruption to previous sign in flows that I had to adapt to and maintain.

[eimrine]

> learning to use a password manager has effectively eliminated dozens if not hundreds of passwords

Generating passwords properly gets rid of need of any password manager while each password keeps being unique. It is useful if most of my devices for internets don't have any password manager implemented (example - any Blackberry/Symbian/Opera Mini)

[kemotep]

Absolutely, which is why I use a custom diceware list to generate the few dozen passwords between work and home that I have to manually type out, such as my computer logins, phone, etc. Drives my wife crazy for our shared accounts that I use random strings of words numbers and symbols. The password manager is highly effective at creating even stronger passwords and managing the 50+ accounts that I can copy and paste the information into, such as this Hacker News account. And even serves as a safe place to save passwords that I rarely use and could otherwise forget.

[tzs]

What do you do if you need to change the password for a site, such as a site that enforced password age limits or a site that has had a leak that exposed passwords?

[catmanjan]

The problem is these platforms double as identity providers so your twitter hacked can give access to other websites - it’s crazy that this was ever a thing

[megous]

That's still often times an optional feature, so if you don't want to use it as IDP, you may not want to opt in to 2FA.

[magicalhippo]

Ubisoft's UPlay tries to get me to sign up for 2-factor every now and then. For some it might be a good idea, if they have a large library and maybe use their account on internet cafes and such.

But they have a "Skip" button which so far works just fine. And I'm very happy it's there. So regardless of other merits, at least Ubisoft did that right with UPlay.

[EGreg]

When we were implementing blockchain-based voting, we assumed that since people trust banking apps with their money, they should be able to trust a crypto wallet with their vote.

But the biggest security flaw, it turns out, is systemic, not individual: people simply don’t care about securing their one measly vote as much as they care about securing $100,000 in their bank.

So while people were motivated to secure large individual balances, they were not motivated to secure their votes.

Which is why we have to force people to confirm their votes on another device, so that Apple or Google couldn’t theoretically steal the election by lying to you about who you voted for, let alone some random website like stackoverflow (which people trust in their moderator elections etc.)

It turns out that this is also necessary for Web3 — the current state of security is dismal, the vast majority of people don’t actually check they are interfacing with the right contract or calling the right method or sending the right parameters before they hit “Submit” to sign the transaction. So even there, people have to be forced to double-check the details on another device, depending on the value of the transaction.

For more info see my article from 2020: https://www.coindesk.com/tech/2020/03/12/in-defense-of-block...

[eimrine]

How do you imagine a blockchain-based voting but still a secret one? Everything is totally visible in any blockchain.

[EGreg]

Personally, I think we will move beyond blockchains. There are new technologies out there (DAG, HashGraph, and our own: Intercloud). There is also "sidetree protocol" that is used to secure Merkle trees with a blockchain, used by Microsoft's DID-compliant new ION for identity, and also I think by bluesky. But at the moment, Blockchain is widespread, kind of like PHP is widespread.

Polygon is probably going to be the winning provider of the space: https://community.intercoin.app/t/polygon-overtakes-ethereum... (although there are smaller ones, such as Arbitrum, Cardano)

I imagine that, in the future, we will simply have an "embarrassingly parallel" set of append-only logs, which is already possible with projects like Hypercore. And we will run consensus with those.

As for your question - the way you have secret voting is by using ring signatures. (Monero has ring signatures.) You just have to indicate that you're part of a group, and that you used your one vote, but it doesn't say who you are https://en.wikipedia.org/wiki/Ring_signature

This was known since 2004, and doesn't require blockchains in fact: https://eprint.iacr.org/2004/281.pdf

A blockchain-based way would be to use a mixer (like Tornado Cash does) to mix up the tokens so each person still has exactly 1 but now it's harder to trace who has which one.