[digging]

Totally agreed - a correctly used password manager is many, many times easier and faster to use than so-called magic links. It's not even a contest.

I'd even say magic link emails border on misuse of email; they're a fundamentally different form of communication from all other uses of email. It's not easy on neurodivergent brains to deal with that combination of pollution (magic links in my inbox) and distraction (actual emails in my face when I'm trying to log in and was not trying to check my email). Protonmail's client could really make my day if they found a way to reliably separate those 2 channels so I didn't have to even open my inbox to get login codes/links.

What I don't understand is why I've never been prompted to use a password manager by any site with a signup flow. It seems easier to normalize their use through messaging than keep acting like passwords are supposed to be something you consciously remember. Nobody should remember their passwords, except for maybe 2-3. But now we're moving toward a world where login just means more friction and less control instead...

[Uvix]

Trying to explain to users of an unrelated site how to use a password manager sounds like a support nightmare.

[digging]

That is a very good point! You'd have to be careful to craft the messaging so that it doesn't imply you can help troubleshoot the password manager.

But something simple could work. Already you usually have a note under a password field, "Must contain at least 8 characters and at least one special character" or something to that effect. It could also have some note about "We suggest a randomly generated password from your password manager."

I'm not building this out so I don't need every hole poked in the idea, just seems like it could work.

[yawaramin]

If someone is going to do this, 'At least one special character' etc. is not the way to do it. According to OWASP guidelines, a secure password must enforce a minimum length but not any other specific criteria, because they actually end up reducing password strength. Instead, the best option is to add a password strength indicator below the password entry field, to encourage the user to create a strong password. The help text can also mention using a password manager but it's difficult to do in a good way.

[grvbck]

One of my pet peeves is when rules counteract the purpose they are supposed to serve, usually because of incompetence. Two years ago, I worked for a few months for a company where time reporting was accessed through a specific web page.

They required the password to be changed monthly, have at least 10 characters, at least one number and at least one special character. On top of that – they locked out password managers and pasting. "We need to make sure you are the one logging in and not a hacker that hacked your password manager" they explained when I asked.

Out of spite I went for "Password12!" the first month and "Password123!" the month after, at which point I received an email from the IT department explaining to me that my choice of password was endangering the corporations security.

[normie3000]

> I received an email from the IT department explaining to me that my choice of password was endangering the corporations security.

Sounds like they were logging/storing passwords in plaintext.

[lmz]

Or offline cracking passwords using a wordlist.

[BenjiWiebe]

Isn't it nice that hackers give up as soon as they realize they can't paste the password in?

And password managers (keepassxc anyways) have a pretty nifty auto-type feature that gets around that anyways.

[yawaramin]

Have you heard of the Cobra Effect?

[teeray]

You can tell them to write their password on a piece of paper in their drawer. Seriously.

Many home users are pretty good about protecting important scraps of paper. The government gives us plenty to hold onto. Even if they’re a grandma that doesn’t understand all this password manager mumbo jumbo, they can deal with a notebook and be better off than using the same password on every site.