[Longhanks]

I absolutely despise everything in this comment. I have a user name and I know the associated password, let me in. Leave me alone with your proprietary authenticators that will lock me out the moment I lose my phone or Google/MS just _decide_ they feel like locking me out.

GitHub force-disabling password authentication for git push has actively made me contribute less to GitHub-hosted projects. And when I really feel it, I just create a full access authentication token anyway and copy the contents to the device. Great. This is the 90‘s "password on a sticky note at the desk" all over again, just even more cumbersome and even less secure. Great job, everyone.

And no, passkeys/webauthn/vendor lock in #1864 won’t fix this.

[f1shy]

I really do bot understand the policy of github. Before I could have a 40 char password in my head. Now it MUST be somewhere in my disc. I was totally surprised as I learned is the only way to login. Seems a 50 year old idea

[Wool2662]

And yet the likelihood of you telling someone or typing the contents of this file somewhere you shouldn't is much lower. It's more phishing resistant and is much less likely to be in some leaked password database, that's what GitHub cares about. Targeted attacks on single people don't even move the needle.

Phishing and password stuffing attacks are like 95% of 'hacking' attempts.

And frankly it is very likely that your 40 character password landed in your shell history at least once.

[predictabl3]

GH also prefixes them and undoubtedly scans for and invalidates them.

I don't think I ever cringe as much as HN threads with people clamoring for backwards steps for security.

[kasdi]

Might want to check out 1Password CLI which can eliminate the need to store access tokens on disk.

[syllablehq]

I understand where you're coming from, and if you really want to have a username and password - yes, you should be let in. You should always be able to manually authenticate if you really want to. But I'm arguing that's it's time to automate and hide that process from the user experience. (multi-factor auth is another topic... let's put that aside for now..)

But the reality is that memorizable passwords simply does not scale in any world where we have to authenticate with so many services. It's time to shift paradigms. When you take a step back, it's clear that we're trying to shim a new password keeper system into an old password input field paradigm, and it makes no sense and it's holding us back.

Agreed that no one should be forcing a proprietary authenticator service on anyone. On the contrary, to avoid that, we need an open standard that is cross-compatible between proprietary services.

The open standard should make it easy for any browser, password keeper, multi-factor auth system etc to speak the same language and "just work" instead of hacking around with auto-filling password input fields for no reason. We're so stuck in an old way of thinking that we can't see that the password input field is vestigial and is only making everyone's experience worse.

[alternatex]

First time I'm seeing anyone suggest that MFA and biometrics are less secure than a password.

Also you have to consider that companies like Google, Apple, Microsoft, are making decisions based on what's good for most users, not a single user.

[f1shy]

I think they make decisions based on what is best for business (which may include locking you as much as possible in their platform) Very unsure that the named companies really do things for users good.