Comment by fusslo
7 hours ago
I'm sure this is worse than using lastpass in some way
but for the past couple years I've just generated and forgotten 90% of my passwords. the final 10% I keep in a password manager. But if the service isn't really that important I just use the 'forgot my password' to change and generate a new password every time I need to login
This works if the account doesn't have 2FA. On my last side project app users can login only via email OTP. There are security downsides with that, someone can send phishing link and use OTP submitted to the fake site, but the app doesn't store anything sensitive (it's a game which tracks your progress) so I guess it's not a major security risk.
I got caught out as I had no longer access to the old phone number that was now used to send 2FA text.
oh dang that's not good. I've had the same phone number since 2006 so I didn't really think about it
But the phone number you have is not 100% in your control. I had AT&T flub something and I lost my number and they assigned me a new one (I was chanting my plan just after they did some merging with someone). Granted its unlikely but I would still use defense in depth and not have password reset be my only login method.
1 reply →
This is why a lot of services have just moved to using email with magic links to log people in.
In the end for a lot of services controlling your email is defacto controlling the login.
I am a vocal opponent to magic links via email (I am an unhinged person, in case it wasn't obvious before :) ).
I NEVER log into my mail from my laptop/desktop. I access my email via my phone's mail app.
So
1. try logging on via my laptop's browser
2. service sends a magic link to my email
3. click the link on my phone
4. now I'm logged in on my phone! not what I wanted!
Links sent in plaintext over the network. :(
Potentially, but if you have your password reset process be sending a reset code by email it's effectively the same account access.