TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

45% Positive

Analyzed from 2175 words in the discussion.

Trending Topics

#email#address#gmail#password#users#same#com#emails#never#user

Discussion (45 Comments)Read Original on HackerNews

amiga386about 3 hours ago
Add the lie "emails are delivered instantly, so the user can click a link I email them within 1 minute"

And the lie "users always read emails on the same device they're logging into a website with"

And the lie "users can always view HTML email so no need to send a plaintext equivalent, especially if I have a long complex URL I want them to click"

And the lie "Clickable links sent in email are more secure than passwords so I'll stop supporting passwords and instead rely on email delivery of a link for all logins. Whoever clicks that link first is definitely the user who wanted to log in"

trumpdongabout 2 hours ago
If you try to create a Discord account with Firefox Klar as your default browser, on Android, immediately upon signing up you'll be banned. I have to assume this is because it clears cookies and thinks you're a bot farm.
technion24 minutes ago
Claude, for my non Gmail domain, expects me to click a magic link on every device I wish to use it. Its wild that a product like that cannot take a password, or a passkey.
Terr_about 1 hour ago
> And the lie "users always read emails on the same device they're logging into a website with"

Or the same browser, or the same browser-profile. For example, on my phone I have external links (from other apps) opening in incognito mode by default.

wodenokotoabout 3 hours ago
If you have a password reset form, you probably already have a log-in with email with extra steps functionality.
butvacuumabout 1 hour ago
I don't think it's about security. It's about fobing off password resets on somebody else.
nosioptarabout 2 hours ago
When I had protonmail, I often wouldn't get emails for hours, sometimes a day.

Most other providers I've used range from instant to a few minutes.

CPLXabout 2 hours ago
> Clickable links sent in email are more secure than passwords so I'll stop supporting passwords and instead rely on email delivery of a link for all logins

God, I fucking hate that.

I have a fucking password manager, I have various machines and things open. Just let me fucking log in.

If anyone is reading this who is in charge of the internet please stop doing this.

Terr_about 1 hour ago
There's a landlord/apartment portal where the whole login process has changed to be:

1. Enter username (e.g. an email)

2. Choose from either email or SMS on file

3. Enter the code you got somehow through the respective unencrypted channel

Given that this same site is involved with bank-account details for payment, I am concerned...

anon7000about 2 hours ago
So agreed. It’s fucking crazy. Password manager is so much easier and more secure. If you do this dumb email or SMS OTP flow, at LEAST support passkeys for my password manager!

It’s wild that they’re like “it’s more secure to not have a password” and then choose two unencrypted delivery mechanisms for the very short OTP.

Sure, people who reuse passwords are not secure. And fair, I guess it’s a tragedy of the commons. But at least continue supporting it and make it dead simple for password managers if you actually care bout security

8n4vidtmkvmkabout 1 hour ago
I thought the same for a long time but now i don't know. If your computer is compromised, they can exfiltrate your password, but with a hardware key they can't, so i think that's legitimately more secure than password+otp. It still needs a pin though to protect against device theft. I bring this up because there's been a ton of compromised developer packages recently and windows itself is being attacked so even if you're pretty good about protecting yourself, you still might get screwed.
roygbiv2about 2 hours ago
I seem to spend half my life logging into thing's, confirming 2fa,confirming biometric data. Then when I go back to the first thing it's timed out and I have to sign in again.
denkmoonabout 2 hours ago
The people in charge of the internet are "cybersecurity" "professionals" who can't even follow NIST guidance.
technion10 minutes ago
A lot of those same people seemed perfectly capable of insisting on 60 day password rotation back when they could use nist guidance as an authority to appeal to (for about five years after the recommendation changed too).
Kaliboyabout 1 hour ago
It is with much hesitation that I write this, because I just implemented such a flow.

My reasoning was this: my customers keep forgetting their password and somehow that becomes a trigger to contact me. No passwords, no problem.

I tried convincing them to use password managers but that was pointless.

But I see the pain and frustration so I will add passwords. And I quite liked the passkey idea, have to see how that works. Not that my customers would ever use it, but I would. It literally never occured to me.

readthenotes1about 2 hours ago
The "change your password every 6 months" guidance?
chrisandchris17 minutes ago
> It turns out that allowing senders to omit dots is common but by no means universal!

I think this is mostly common with Gmail-heavy countries and does not apply to Europe? At least I do not know of anyone that thinks so.

miningtcup21 minutes ago
I would like to point out that the "suggested" validation pattern, ^[^@]+@[^@\s]+$, can filter out valid addresses. "user@something"@example.com is a valid address, and excluding @'s in the user part rejects it.
gerdesjabout 2 hours ago
Email is just like physical mail and thankfully just as endearingly human (sometimes).

Once upon a time (1970/80s) I lived on and off in a mystic land called West Germany. Our postal addresses ended with incantations such as BFPO 40.

Around 1985ish my granny send a Christmas card to us. I should note that she was at this time nearly seventy and sadly suffering from Parkinsons. She addressed the card, in rather crabbed but legible handwriting, to:

Graham and Heath BFPO 40

My mum's name is abbreviated - her daughter. At that time Rheindahlen (nr Moenchengladbach) had a pretty large contingent of Brits in it - it was HQ (BAOR).

The card arrived well before Chrimbo and it took about a week judging by the post mark, which was petty normal in those days. She shoved it into a post box in Ipplepen, nr Newton Abbot, Devon and it found its way to an obscure address in another country. I seem to recall she also forgot the stamp but it still got through.

I'm sure mail like that becomes a point of honour to deliver and HM PO and BFPO did the job admirably.

That attitude is how email MTAs are generally designed to work. They cling on to the good old days and sadly the world is a bit shit. Case sensitivity ... lol!

8n4vidtmkvmkabout 1 hour ago
New rule: when emailing someone, you need to include their name. If you do that, the email delivery gods will correct typos in your email address.
farfatchedabout 2 hours ago
> It’s likely that more people out there are being filtered by badly-implemented form validation than there are being filtered by their own need of hand-holding.

I wish this was asserted with evidence. The author might suggest this because they have unrealistic views of some users.

> In the year of our lord 2026, you can reasonably expect your users to know how to type their own email address - or even better, auto-input from their OS, browser, keyboard app, or password manager.

This really depends on who your users are.

I have multiple family members who have healthy memory, but can't accurately remember their email address everytime: the localpart, the domain, the syntax, everything.

Sending an email verification isn't sufficient, because if the user has typo'd ".com", they might never receive that email, and the user might never be back, or then have to escalate to support.

Meanwhile, if a site is opinionated on TLDs, they might prevent those users facing issues.

I'm sure there are many sites were users have a large variety of odd email addresses, but also there are sites that cater to mostly non-technical users within 1-2 locales, and so may find the friendliest UX is having opinionated validation.

wolrah44 minutes ago
That's why the article says "verify, not validate". Send an email, have a process for them to confirm they received it.

If the user gets the email and completes the validation, the email is valid. If they fucked up, they don't get the email and the account never gets created.

No one ever gets prevented from creating an account with a legitimate email address, as opposed to "opinionated validation" where that absolutely will happen. Speaking from years of experience having a .info domain which isn't even all that odd, and at one point using gmail-style + addresses regularly. "Opinionated validation" has forced me to use my .com domain without a plus dozens of times.

I know part of this is intentional, those who know they plan to sell your email addresses don't want you to use the plus addresses, but that doesn't make the advice to not filter addresses any less correct.

rmunnabout 1 hour ago
> I have multiple family members who have healthy memory, but can't accurately remember their email address everytime: the localpart, the domain, the syntax, everything.

I got Gmail early enough that I have (my first name) dot (my last name) at gmail dot com. About twenty years ago, I started getting strange emails. At first I thought they were spam, because they were addressed to me by name but I had never joined those sites. Eventually I figured out that they were addressed to (my first name) (my last name) at gmail dot com. Which Gmail treats as the same address as the one with a dot in between.

Since I had never ever given out a version of my email address without a dot in the middle, I eventually figured out that these emails were meant for someone else who shared the same first and last name as me. But since I don't think Gmail would allow one person to register john.example@gmail.com and then later allow someone else to register johnexample@gmail.com, my name doppelganger must have registered firstnamelastname@yahoo.com, and then forgot the domain and given out firstnamelastname@gmail.com when asked for an email address. And probably never noticed that they weren't receiving emails like "Dear customer, thank you for purchasing (product). Would you like to try (other product)?", so they never realized that they were giving out the wrong email address.

jcranmerabout 1 hour ago
Randall estimates in the alt-text of https://xkcd.com/1279/ that there's about ¾ of a million people who just use somebody else's email on gmail without realizing it's not their email address.
trumpdongabout 2 hours ago
There's something you can do in between - you can check the domain has an MX record.
riddley43 minutes ago
I have a gmail address that at least three other people think is their address. I constantly get emails for the dumb stuff they sign up for. NONE of them ever have an "I didn't request this" link. I mean, I get it. That won't make them money, but oh man is it annoying.
JimTheMan33 minutes ago
I get scammers using my email to sign up for websites, but they very obviously cannot login to my account. I often wonder what is in it for them. I'm sure someone on HN can tell me!
sohexabout 2 hours ago
IIIRC in terms of clients mutt (&co) will actually handle “@“ in the local part correctly.

> But the real reason I do that is just because I just like to sit in anger whenever this breaks the user experience because of programming errors or inconsistencies.

Genuinely delighted by the fact that I’m not alone in that.

adamzwasserman1 day ago
I enjoyed the deep dice. A lot of sensible advice, and enjoyed the deep dive. A lot of articles do not get a lot of that as right as this article does.

Anyone who also enjoyed it would probably get a kick out of my article on the same subject that goes into the regex (which has some valid use cases): https://hackernoon.com/on-the-practicality-of-regex-for-emai...

teo_zeroabout 3 hours ago
The plus sign is a pet peeve of mine, too. But I stopped keeping a list of bad sites when their number has become double digit!
jeffbeeabout 2 hours ago
This article says that Gmail can't handle address literals. I personally wrote the IPv6 address literal support for Gmail, so this annoys me. I just tested it and it shortened "[IPv6:2001:etc:etc::192.etc.etc]" down to "@2001" then generated an extremely terse mail delivery subsystem notification that I've never seen before. Which is why you should never just rewrite software without understanding why all the test cases are in the test suite!
thwartedabout 1 hour ago
> "[IPv6:2001:etc:etc::192.etc.etc]"

I'm trusting this is a throwaway example and that you used a real IPv6 address literal in this test, without the "IPv6" and with only colons and no dots (unless you mean to use v4 mapped address with dots)? Because this IPv6 literal is so malformed that I'm hardly expecting it to do something sane and changing that to "@2001" is nasal-demons quality undefined behavior. I tried with this exact literal and it let me send it but then there was a tiny red pop-up at the top of the gmail interface that said "could not be delivered, check your network connection" (which is odd; the same kind of pop-up that appears in gray when you legitimately are not connected to the internet) and it ended up in my drafts with the To: field empty.

I just tried to send a message to a "test@[" my current IPv6 address "]", and gmail told me

    Error
    The address "test@[«redacted»]" in the "To" field was not recognized.
    Please make sure that all addresses are properly formed.
This address doesn't have an MDA listening on it, but it didn't accept it enough to give me a non-delivery notification, it didn't even let me send it. gmail did accept an IPv4 address literal in brackets, although it hasn't given me back a non-delivery notification. What it stuffed into my Sent folder for this message has the square brackets stripped and the IPv4 address appears right after the @.
farfatchedabout 2 hours ago
Could they have consciously chosen to remove that functionality?

E.g. to simplify code, or if they wanted all mails to have a domain (if, for example, they wanted to integrate with reputation systems that were domain oriented)?

jeffbeeabout 2 hours ago
Based on the incredibly basic bounce message, I suspect the problem is that the frontend eats the address before it even gets to delivery.

To your question, yes any product decision is possible, but enterprise/government people are surprisingly demanding about this stuff working because they have extremely weird requirements for routing mail to and through legacy systems. So I bet this still works at the mailer level and is broken in the UI.

jcranmerabout 2 hours ago
I chuck IP address literals (both IPv4 and IPv6) on the list of things that you should care about for email if you're writing an MTA or an MUA but should otherwise generally not care about supporting if you're using email for something else (e.g., as a UID for login).
ashley95about 2 hours ago
This is cute and all. But for anyone coming here for real-world advice: just use a regex, normalize to lowercase, and surface any errors to users so they know if their email got rejected. This will avoid 99.9% of issues and work for 100% of real human users. This is what everyone else does, and if you have a user with an esoteric email, they will still be able to furnish another one that passes this validation.
pifabout 1 hour ago
Display a warning and propose to edit instead of blocking the operation: your customers will be happier!
Advertisement
jiveturkeyabout 2 hours ago
> TL;DR: Don't overthink it, just send a verification email.

pretty bad advice, if taken only as written, without adding more flavor on top.

the major email providers will penalize you if you generate too many undeliverable emails. thus, if you just send a verification email without any pre-validation, it's pretty easy to get into a DoS situation where current/valid users don't get important email sent to them, or that email is significantly delayed, plus incur huge operating cost to resolve the problem.

some form of rate limiting is needed, plus IMHO it's better to use a verifier service or your own heuristic or ML model to test for email validity including valid but fake/spammy/disposable addresses.

sorry, but we are way past the point of being able to have nice things, esp. when we're talking about email.

the "lies" part of the content is great. people do assume all those wrong things. however the TLDR is just wrong, and potentially harmful.

trumpdongabout 2 hours ago
I think the only way to deal with that right now is to hire a company whose job is to deal with it. They'll random-check your outgoing emails are indeed what you say they are, and they maintain a reputation with the big providers for checking it properly.

What pre-validation could you do that would possibly be useful?

jiveturkeyabout 1 hour ago
entropy check, for one