Fork me on GitHub

I need help abbreviating some words: persistent -> p! assert -> a! transient -> ?? // first letter is 't' what is second letter ?


Wrestling with a UX idea. So my site's users almost never willingly log out. Most of them use facebook/google/twitter login, but we offer an actual email/password option too. I'm seeing around 80% of our email/password users using password reset when they try to use the auth page, so I'm thinking about just skipping the password entirely. What if, to login to a site that you infrequently login to, you had to prove your email address? Essentially, the standard password reset behavior of sending a unique and expiring token to an email (as a link), is the login link. Is this insane?


What if the user is in a different PC? Requiring them to log into their email to get a token seems a lot more trouble for those that would otherwise remember their password right?


This is what Slack does.


a lot of service do that, usually it’s a 2FA option though.


I personally don’t login to my email on my iPhone nor iPad, so if I want to login to a slack room on any of those, but have logged in on my mbp, I open the email on my mbp, copy the link and then use the link on my mobile device. I can copy/paste across devices on iOS, so that is quite convenient for me.


hmm, thanks for the input. some more points to chew on.


Just to mention, I think "login links" sent to email are nice. Just thought worth pointing out a case where doing away with passwords entirely might be risky.


@roberto Slack offers that as an option right? Password is still an option


Also, with a password you'd normally expect that changing a password would invalidate any existing sessions or similar. If the passwordless link does the same thing, what happens to people who frequently switch between devices? If it doesn't, what does a user do when one of their devices has been lost/compromised/whatever and they want to prevent someone else from using that device's session cookie


@carr0t we had to solve that with existing long-lived sessions with a user-base that has a small, but vocal population using multiple devices. We have a button in the profile to log out all devices.


what’s the proper oauth-y way of handling that situation? A refresh token for each device? Or one shared refresh token? In the first case why couldn’t you log out of individual devices instead of all devices?


Well each device has a separate session, so I don't see any reason why you couldn't log out specific devices that way. But you'd need a reliable way of identifying each device that is meaningful to the user


And preferably not by asking them "Name this device" every time they log in 😉


We have unique sessions (and tokens) for each device, but we don't allow "selective" logout. If you want to logout of all devices, you can do it, but you can't say "logout that iphone" or "logout that firefox session"

chris16:12:05 this is cool, I only looked through the btc one so far, but it's pretty neat


a friend of mine encouraged me to try out cryptocurrency/blockchain coding to get my head out of the video streaming space for a while…so I dug into it a bit and was pretty underwhelmed by the simplicity of it all. The proofs themselves are quite mathematical and complicated (although btc’s proof of work is basically as brute-force and simple as you can get, really) but the rest of it? Not all that complicated. If you grok linked lists, you grok blockchain. So it leaves me…concerned…that the cryptocurrency community has a severe case of Not Invented Here and they tend to overcomplicate everything.


but they still run into showstopper bugs in the tooling peripheral to the main implementation (wallet hacks in btc and etherium etc.)


but in their defense, I wouldn’t hold up a lack of complexity as a point against - in crypto I like it when things are done as simple as possible (as long as they are also correct of course)


Oh I agree that simple is better. I suppose I just went in with the mindset that this was a bit of a mind-bending problem - because so much of the cryptocurrency lore is around these figures who are better and smarter than the rest of us - but it turned out pretty mundane.


when I’m working on my web app the hard part is making it work at all - if there are corner cases they can be patched over later; with crypto the hard part is ensuring that nobody in the near term future can find a hole in your system - the limits on the feature set you can implement with that kind of guarantee are extreme


that said, the money pouring into cryptocurrencies right now is speculation based on other speculation - not the utility of the items for their stated purpose


And this is where the NIH syndrome I was referring to earlier really bites them. Not only do you have to make the system as robust as possible against guaranteed attacks (because anything with money is basically a huge target), now you have to contend with writing proper implementations of stuff that’s existed for years. IOTA is a great example of that.


eg. bitcoin global limit of 5 transactions a second means it’s not a good medium of exchange, extreme volatility and deflation mean it’s a poor store of value


that’s fair, yes


I don’t know much about IOTA but what I’ve seen doesn’t tempt me to try it or even learn much more…


the bitcoin core developers seem to have done a good job of not venturing too far out of the scope of the project. But IOTA and Ethereum are kind of all over the place.


my impression is that bitcoin was designed by someone(s) with a very good background in math and crypto, and that iota and etherium are designed by extremely ambitious and above average programmers but not people who are wold class experts in crypto or math


eg. the choice to use a js-clone for etherium - you’d expect something lower level and more predictable (some kind of pascal or ada clone) or higher level with better guarantees (some kind of ml or haskell clone)


I mean seriously, they had a wallet hack based on what was effectively an implicit scope parameter - one of the most common kinds of js bugs


I’m not sure why they’re even making their own language instead of using something that already exists 😛


existing languages are not designed to be resilient to malicious code though (not to say what they made does the job that much better)


maybe that’s totally wrong though - js was meant to be a sandboxed language in a browser after all (we’ve seen how well that worked out) also, it’s important to see the context in which these crypto currencies are being developed. the way you succeed in the startup world isn’t by being the best or most careful, it’s by daring to try and maybe fail, and maybe break a few rules and deal with it later when you have more money / influence


this might make sense if you are trying to replace a corrupt taxi regulation system for example, but I don’t think it’s a set of incentives that are condusive to quality financial technologies. We have crypto exchanges where people can blatantly run scams that were made illegal decades or even centuries ago in mainstream financial markets and consumers / investors aren’t even aware of what those scams look like - arguably the people inventing the tooling around the cryptocurrencies are not familiar with the scams! (the more cynical take is that they are well aware, and their software allows them to make a lot of money based on those scams)


I have a feeling it’s a combination of typical tech/startup hubris (“move fast and break things”) and genuine fraud that some people are purposefully committing by taking advantage of the chaos.


But yeah stuff dealing with this much money now should be dealt with in a more deliberate manner.


move fast and break things is scary when “things” becomes a significant fraction of the global economy


The problem I have with blockchain is it's miss-use.


Bitcoin has a transaction rate of about 3-7 transactions a second. What does anyone expect to do with that?


Real Estate Transactions in the US probably happen at < 3-7 per second. How could it possibly be useful ?


One idea I think is particularly interesting is "attaching physical property" to a bitcoin. For example, if some legal firm setup something that says: "this house belongs to whoever controls the wallet associated with this tagged coin" -- then it's suddenly possible for people to do all types of transactions. Imagine a US resident being able to buy a house in Russia or China by swapping 100 bitcoins for a single tagged bitcoin or something.


Transaction volumes are the biggest problem of cryptocurrencies in order for them to reach any real usage as a real world currency. Both bitcoin and ethereum suffer from horrible transaction volumes which would never ever fly in the real world. A single web shop with any kind of relevance has situations where they go above that transaction volume and if we take into account the big players like Amazon, Alibaba, Zalando etc then each of those can go over those limits thousandfold all by themselves.


not to mention usability. not a single person i interact with daily knows how to use any kind of cryptocurrency


usability is easily fixed really


it’s not like ordinary people understand how card payment networks work and they are still quite succesful with their card payments


And then there's that nasty little bit where the Bitcoin network uses something like 29TWh/yr. That's more than the power usage of Ireland.


And even home sales aren't really in the ballpark @U3JURM9B6. US home sales alone in 2017 ran about 4.7 transactions/sec. Add in the rest of the world and you've got some transaction problems.


Not to mention possible back pressure problems when at certain times of the year people buy and sell a lot of property.