💾 Archived View for yujiri.xyz › software › forgot-password.gmi captured on 2024-06-16 at 12:30:18. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-09-08)
-=-=-=-=-=-=-
The "forgot password" buttons on every web service mean that if someone gains access to your email account, they also get access to every other account you have by just asking them all for password resets.
It also means that your email provider can hack all your other accounts at any time, since they already have access to your email.
This is a horrendous violation of common sense. We're always advised to "use different passwords on everything", but how much does that matter if you have one account that invalidates all your other security mechanisms?
This wouldn't bother me so much if it was something we could choose not to do. But the problem is that *none of us have any choice*, because almost no websites offer a setting to either disable password reset or encrypt the emails. Not even GitHub, a website specifically for programmers and that *already allows you to set public keys on your account!*
It is *basic* security practice to let users either disable password reset or provide a public key to encrypt the emails with. Having password reset without a feature like this is worse than storing passwords in plain text. Even bloggers who write great stuff about security go on to make web services that effectively accept your email password as an alternative to the one you set, and there's nothing you can do about it.