DE version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
45% Positive
Analyzed from 2175 words in the discussion.
Trending Topics
#email#address#gmail#password#users#same#com#emails#never#user
Discussion (45 Comments)Read Original on HackerNews
And the lie "users always read emails on the same device they're logging into a website with"
And the lie "users can always view HTML email so no need to send a plaintext equivalent, especially if I have a long complex URL I want them to click"
And the lie "Clickable links sent in email are more secure than passwords so I'll stop supporting passwords and instead rely on email delivery of a link for all logins. Whoever clicks that link first is definitely the user who wanted to log in"
Or the same browser, or the same browser-profile. For example, on my phone I have external links (from other apps) opening in incognito mode by default.
Most other providers I've used range from instant to a few minutes.
God, I fucking hate that.
I have a fucking password manager, I have various machines and things open. Just let me fucking log in.
If anyone is reading this who is in charge of the internet please stop doing this.
1. Enter username (e.g. an email)
2. Choose from either email or SMS on file
3. Enter the code you got somehow through the respective unencrypted channel
Given that this same site is involved with bank-account details for payment, I am concerned...
It’s wild that they’re like “it’s more secure to not have a password” and then choose two unencrypted delivery mechanisms for the very short OTP.
Sure, people who reuse passwords are not secure. And fair, I guess it’s a tragedy of the commons. But at least continue supporting it and make it dead simple for password managers if you actually care bout security
My reasoning was this: my customers keep forgetting their password and somehow that becomes a trigger to contact me. No passwords, no problem.
I tried convincing them to use password managers but that was pointless.
But I see the pain and frustration so I will add passwords. And I quite liked the passkey idea, have to see how that works. Not that my customers would ever use it, but I would. It literally never occured to me.
I think this is mostly common with Gmail-heavy countries and does not apply to Europe? At least I do not know of anyone that thinks so.
Once upon a time (1970/80s) I lived on and off in a mystic land called West Germany. Our postal addresses ended with incantations such as BFPO 40.
Around 1985ish my granny send a Christmas card to us. I should note that she was at this time nearly seventy and sadly suffering from Parkinsons. She addressed the card, in rather crabbed but legible handwriting, to:
Graham and Heath BFPO 40
My mum's name is abbreviated - her daughter. At that time Rheindahlen (nr Moenchengladbach) had a pretty large contingent of Brits in it - it was HQ (BAOR).
The card arrived well before Chrimbo and it took about a week judging by the post mark, which was petty normal in those days. She shoved it into a post box in Ipplepen, nr Newton Abbot, Devon and it found its way to an obscure address in another country. I seem to recall she also forgot the stamp but it still got through.
I'm sure mail like that becomes a point of honour to deliver and HM PO and BFPO did the job admirably.
That attitude is how email MTAs are generally designed to work. They cling on to the good old days and sadly the world is a bit shit. Case sensitivity ... lol!
I wish this was asserted with evidence. The author might suggest this because they have unrealistic views of some users.
> In the year of our lord 2026, you can reasonably expect your users to know how to type their own email address - or even better, auto-input from their OS, browser, keyboard app, or password manager.
This really depends on who your users are.
I have multiple family members who have healthy memory, but can't accurately remember their email address everytime: the localpart, the domain, the syntax, everything.
Sending an email verification isn't sufficient, because if the user has typo'd ".com", they might never receive that email, and the user might never be back, or then have to escalate to support.
Meanwhile, if a site is opinionated on TLDs, they might prevent those users facing issues.
I'm sure there are many sites were users have a large variety of odd email addresses, but also there are sites that cater to mostly non-technical users within 1-2 locales, and so may find the friendliest UX is having opinionated validation.
If the user gets the email and completes the validation, the email is valid. If they fucked up, they don't get the email and the account never gets created.
No one ever gets prevented from creating an account with a legitimate email address, as opposed to "opinionated validation" where that absolutely will happen. Speaking from years of experience having a .info domain which isn't even all that odd, and at one point using gmail-style + addresses regularly. "Opinionated validation" has forced me to use my .com domain without a plus dozens of times.
I know part of this is intentional, those who know they plan to sell your email addresses don't want you to use the plus addresses, but that doesn't make the advice to not filter addresses any less correct.
I got Gmail early enough that I have (my first name) dot (my last name) at gmail dot com. About twenty years ago, I started getting strange emails. At first I thought they were spam, because they were addressed to me by name but I had never joined those sites. Eventually I figured out that they were addressed to (my first name) (my last name) at gmail dot com. Which Gmail treats as the same address as the one with a dot in between.
Since I had never ever given out a version of my email address without a dot in the middle, I eventually figured out that these emails were meant for someone else who shared the same first and last name as me. But since I don't think Gmail would allow one person to register john.example@gmail.com and then later allow someone else to register johnexample@gmail.com, my name doppelganger must have registered firstnamelastname@yahoo.com, and then forgot the domain and given out firstnamelastname@gmail.com when asked for an email address. And probably never noticed that they weren't receiving emails like "Dear customer, thank you for purchasing (product). Would you like to try (other product)?", so they never realized that they were giving out the wrong email address.
> But the real reason I do that is just because I just like to sit in anger whenever this breaks the user experience because of programming errors or inconsistencies.
Genuinely delighted by the fact that I’m not alone in that.
Anyone who also enjoyed it would probably get a kick out of my article on the same subject that goes into the regex (which has some valid use cases): https://hackernoon.com/on-the-practicality-of-regex-for-emai...
I'm trusting this is a throwaway example and that you used a real IPv6 address literal in this test, without the "IPv6" and with only colons and no dots (unless you mean to use v4 mapped address with dots)? Because this IPv6 literal is so malformed that I'm hardly expecting it to do something sane and changing that to "@2001" is nasal-demons quality undefined behavior. I tried with this exact literal and it let me send it but then there was a tiny red pop-up at the top of the gmail interface that said "could not be delivered, check your network connection" (which is odd; the same kind of pop-up that appears in gray when you legitimately are not connected to the internet) and it ended up in my drafts with the To: field empty.
I just tried to send a message to a "test@[" my current IPv6 address "]", and gmail told me
This address doesn't have an MDA listening on it, but it didn't accept it enough to give me a non-delivery notification, it didn't even let me send it. gmail did accept an IPv4 address literal in brackets, although it hasn't given me back a non-delivery notification. What it stuffed into my Sent folder for this message has the square brackets stripped and the IPv4 address appears right after the @.E.g. to simplify code, or if they wanted all mails to have a domain (if, for example, they wanted to integrate with reputation systems that were domain oriented)?
To your question, yes any product decision is possible, but enterprise/government people are surprisingly demanding about this stuff working because they have extremely weird requirements for routing mail to and through legacy systems. So I bet this still works at the mailer level and is broken in the UI.
pretty bad advice, if taken only as written, without adding more flavor on top.
the major email providers will penalize you if you generate too many undeliverable emails. thus, if you just send a verification email without any pre-validation, it's pretty easy to get into a DoS situation where current/valid users don't get important email sent to them, or that email is significantly delayed, plus incur huge operating cost to resolve the problem.
some form of rate limiting is needed, plus IMHO it's better to use a verifier service or your own heuristic or ML model to test for email validity including valid but fake/spammy/disposable addresses.
sorry, but we are way past the point of being able to have nice things, esp. when we're talking about email.
the "lies" part of the content is great. people do assume all those wrong things. however the TLDR is just wrong, and potentially harmful.
What pre-validation could you do that would possibly be useful?