2lewd discussion

by Melancholy

Melancholy
すけべ
Admin
Posts: 3,871
Threads: 213
Joined: Jul 2014
Reputation: 60
07-04-2016, 04:03 PM (This post was last modified: 07-04-2016, 04:05 PM by Melancholy.)
#43659 (1)
As some of you might already know, RX14 and I are working on a new forum software written in the Crystal programming language.

We aim to have a software that's more efficient and faster than MyBB, and will be able to add new features to the software with ease.

This thread is basically just a way for RX and I to post updates, and ask questions related to the new software.

Our first question is pretty important.

After reading this article, we sort of agree that dropping passwords completely, and having users sign in via an email that gets sent to them, is better on both our end (we won't be holding your passwords) and your end.

"but what if someone gains access to my email account?!"

They could just reset your password, there is no difference.

So our question is: What is your opinion on dropping passwords altogether and signing in via emails?

Utsutsu
is ded
Aykko
Posts: 187
Threads: 1
Joined: Jul 2015
Reputation: 11
07-04-2016, 04:50 PM
#43665 (2)
idk wouldn't you just get like 5 emails daily? kinda spammy or..?
[+] 2 users love Utsutsu's post
All in One
( ˃ ヮ˂)
Torrents
Posts: 273
Threads: 3
Joined: May 2016
Reputation: 2
07-04-2016, 04:53 PM (This post was last modified: 07-04-2016, 04:55 PM by All in One.)
#43666 (3)
I don't really care either way. Passwords are fine with me but if you think dropping them will improve security then go ahead. The email thing might get me to check my inbox more often.

>>43665
>idk wouldn't you just get like 5 emails daily? kinda spammy or..?
From what I gathered the site just sends you one email with a link that you use to log in from then on.

[Image: 68747470733a2f2f752e6e79612e69732f6b7364717a782e706e67]
VyraLove
Giving you Lewd Dreams <3
Kitsune
Posts: 95
Threads: 1
Joined: Jul 2015
Reputation: 6
07-04-2016, 05:03 PM
#43668 (4)
My opinion, after reading that article, is that it makes no difference to me because apparently it's the same level of security anyways. I also have what's it called.. the authenticator security stuff on my email anyway so I don't have to worry about it.

Melancholy
すけべ
Admin
Posts: 3,871
Threads: 213
Joined: Jul 2014
Reputation: 60
07-04-2016, 05:06 PM
#43669 (5)
(07-04-2016, 04:50 PM)Utsutsu Wrote: idk wouldn't you just get like 5 emails daily? kinda spammy or..?

If you login 5 times a day. But most people login once and stay logged in.

Caffeine
:thinking:
Lazies
Posts: 26
Threads: 2
Joined: Jun 2016
Reputation: 1
07-04-2016, 05:17 PM
#43670 (6)
Signing in via email while much more convenient seems (at least on paper) a lot less safe seeing as anyone who gains access to your email also has access to your lewd account whereas so long as you can remember your lewd password your account is slightly safer.

As for the redesign, I haven't been particularly bothered by the site's speed though I welcome any and all changes so long as the forum's layout stays somewhat similar.
[+] 3 users love Caffeine's post
Kusoneko
Cute sleepy lewd nekomimi
Waifu
Posts: 120
Threads: 2
Joined: Dec 2014
Reputation: 2
07-04-2016, 05:26 PM
#43673 (7)
That sort of sounds weird, usually you'd want to improve security by combining email + password + authenticator, not remove security layers (here the password layer) that result in relatively the same level of insecurity as before. Plus, like Utsutsu said, it'd get kinda spammy for emails, and it's quite honestly a major pain in the ass personally, as I tend to go deal with my emails on my phone, thus using the login link from the email on a phone would result in a pretty big fail cause the phone would be the one logged in, not my PC's browser. So, instead of just going on the website, typing my password, and getting in, I'd need to go on the website, type in my username, try to remember which email address out of my 4 addresses I used for this site, go to the website to access the email inbox for the right one of them, login to that email address, wait for the login email to come (which might not come considering how shitty email services are sometimes, with emails being sent but never received, not even in the spam box) if it still hasn't arrived during the 20 previous steps, and then click the link in that email to finally get logged in? Sounds like more trouble than it's worth.
[+] 3 users love Kusoneko's post
Lokorfi
Waifu
Posts: 2,671
Threads: 30
Joined: Feb 2015
Reputation: 32
07-04-2016, 05:26 PM
#43674 (8)
will it remember to keep me logged in? if so i'm all for it because sometimes i have to close out of lewd too.

[+] 1 user loves Lokorfi's post
Biggest_Mike
♪ MUSIC ♪
Music
Posts: 304
Threads: 39
Joined: Jul 2015
Reputation: 5
07-04-2016, 05:27 PM
#43675 (9)
I have mixed feelings about removing the password for receving an email to login. What spung up for this idea to come into action in the future?

What if insted of receving an email, set up having to answer 1 or 2 questions that we either choose or enter in personally and enter it in a secure page.

[Image: 687474703a2f2f776f74696e666f2e6e65742f65...652e706e67]
[Image: 687474703a2f2f672e62663473746174732e636f...6c2e706e67]


Camo Yoshi
WRX > Subpar Sex
Eurobeat
Posts: 54
Threads: 6
Joined: Nov 2015
Reputation: 2
07-04-2016, 05:36 PM
#43682 (10)
I think the option of having a keyfile or AES256 key (a la SSH) would be nice. I personally use a password manager for all my logins to everything so for the people who have this setup will kind of get screwed over by this system. It's not a terrible idea, but I think having it as a option would be a better idea, alongside a keyfile login method.
[+] 1 user loves Camo Yoshi's post
RX14
Chibi Hentai Master
Optimist
Posts: 506
Threads: 5
Joined: Nov 2015
Reputation: 2
07-04-2016, 05:37 PM
#43683 (11)
(07-04-2016, 04:50 PM)Utsutsu Wrote: idk wouldn't you just get like 5 emails daily? kinda spammy or..?

It's every time you actually log in to lewd, so for most people, thats when they start using lewd with a new computer. I've only actually logged in to lewd maybe 3 times, ever.


(07-04-2016, 05:03 PM)VyraLove Wrote: My opinion, after reading that article, is that it makes no difference to me because apparently it's the same level of security anyways. I also have what's it called.. the authenticator security stuff on my email anyway so I don't have to worry about it.

Yeah, having authenticatior on your email means that your email is pretty secure, and therefore your lewd account is pretty secure by proxy.

(07-04-2016, 05:17 PM)Caffeine Wrote: Signing in via email while much more convenient seems (at least on paper) a lot less safe seeing as anyone who gains access to your email also has access to your lewd account whereas so long as you can remember your lewd password your account is slightly safer.

As the article, AND the OP said, if someone gains access to your email, they can use the password reset functionality to gain access to your account regardless. THis authentication provides the same or MORE security because there's only one way to access your account (email) instead of two (email, password).

(07-04-2016, 05:26 PM)Kusoneko Wrote: That sort of sounds weird, usually you'd want to improve security by combining email + password + authenticator, not remove security layers (here the password layer) that result in relatively the same level of insecurity as before. Plus, like Utsutsu said, it'd get kinda spammy for emails, and it's quite honestly a major pain in the ass personally, as I tend to go deal with my emails on my phone, thus using the login link from the email on a phone would result in a pretty big fail cause the phone would be the one logged in, not my PC's browser. So, instead of just going on the website, typing my password, and getting in, I'd need to go on the website, type in my username, try to remember which email address out of my 4 addresses I used for this site, go to the website to access the email inbox for the right one of them, login to that email address, wait for the login email to come (which might not come considering how shitty email services are sometimes, with emails being sent but never received, not even in the spam box) if it still hasn't arrived during the 20 previous steps, and then click the link in that email to finally get logged in? Sounds like more trouble than it's worth.

It could send you a link, or time-based PIN. Then you could log in using your phone. As said, the current situation is that breach of email == breach of lewd account regardless, so it's the same security level. As for adding 2FA to lewd, I'm up for that, and that would be my preferred method for securing lewd (email + 2fa, no password reset possible), but with just email access for people who don't want 2fa.

[Image: 68747470733a2f2f6177772e6d6f652f683731666e372e706e67]
English animemester
RX14
Chibi Hentai Master
Optimist
Posts: 506
Threads: 5
Joined: Nov 2015
Reputation: 2
07-04-2016, 05:41 PM
#43684 (12)
(07-04-2016, 05:26 PM)Lokorfi Wrote: will it remember to keep me logged in? if so i'm all for it because sometimes i have to close out of lewd too.
Of course, this system will only be used after manuually logging out, or on a new computer. Where you would enter your password normally.

(07-04-2016, 05:27 PM)Biggest_Mike Wrote: What if insted of receving an email, set up having to answer 1 or 2 questions that we either choose or enter in personally and enter it in a secure page.

So, a password?


(07-04-2016, 05:36 PM)Camo Yoshi Wrote: I think the option of having a keyfile or AES256 key (a la SSH) would be nice. I personally use a password manager for all my logins to everything so for the people who have this setup will kind of get screwed over by this system. It's not a terrible idea, but I think having it as a option would be a better idea, alongside a keyfile login method.

How will you get screwed over? Just don't add it to your password manager. Your email account details are your new lewd login details. SSH auth (ssh to this ip, type code returned by ssh) would be nice, but a much later thing I would implement.

[Image: 68747470733a2f2f6177772e6d6f652f683731666e372e706e67]
English animemester
[+] 2 users love RX14's post
Kusoneko
Cute sleepy lewd nekomimi
Waifu
Posts: 120
Threads: 2
Joined: Dec 2014
Reputation: 2
07-04-2016, 05:51 PM
#43688 (13)
Well, if you implement 2FA as an alternative to this, email login thingy, then I don't really mind.
RX14
Chibi Hentai Master
Optimist
Posts: 506
Threads: 5
Joined: Nov 2015
Reputation: 2
07-04-2016, 06:00 PM
#43693 (14)
(07-04-2016, 05:51 PM)Kusoneko Wrote: Well, if you implement 2FA as an alternative to this, email login thingy, then I don't really mind.

It would be email plus 2fa, except you can't reset your 2fa backup codes via email so that it's actually two-factor. Typing a code across from your phone to your PC shouldn't be hard...

[Image: 68747470733a2f2f6177772e6d6f652f683731666e372e706e67]
English animemester
[+] 1 user loves RX14's post
Kusoneko
Cute sleepy lewd nekomimi
Waifu
Posts: 120
Threads: 2
Joined: Dec 2014
Reputation: 2
07-04-2016, 06:11 PM (This post was last modified: 07-04-2016, 06:12 PM by Kusoneko.)
#43698 (15)
Then, it brings us back to the issue I mentioned earlier: sometimes, emails just don't come. They're not in the inbox, and not in the spam box, even after 30 mins. How do you want to login then? Oh wait, you can't cause that's precisely how you're supposed to. Unlike passwords, which you only need to remember your own password, sending a email depends entirely on some service that sometimes randomly fails.
[+] 2 users love Kusoneko's post
Melancholy
すけべ
Admin
Posts: 3,871
Threads: 213
Joined: Jul 2014
Reputation: 60
07-04-2016, 06:18 PM
#43700 (16)
(07-04-2016, 06:11 PM)Kusoneko Wrote: Then, it brings us back to the issue I mentioned earlier: sometimes, emails just don't come. They're not in the inbox, and not in the spam box, even after 30 mins. How do you want to login then? Oh wait, you can't cause that's precisely how you're supposed to. Unlike passwords, which you only need to remember your own password, sending a email depends entirely on some service that sometimes randomly fails.

Ever since we switched to using mailgun's API for sending emails ~6 months ago or something, we've very rarely had an email not go through.

RX14
Chibi Hentai Master
Optimist
Posts: 506
Threads: 5
Joined: Nov 2015
Reputation: 2
07-04-2016, 06:20 PM
#43701 (17)
(07-04-2016, 06:11 PM)Kusoneko Wrote: Then, it brings us back to the issue I mentioned earlier: sometimes, emails just don't come. They're not in the inbox, and not in the spam box, even after 30 mins. How do you want to login then? Oh wait, you can't cause that's precisely how you're supposed to. Unlike passwords, which you only need to remember your own password, sending a email depends entirely on some service that sometimes randomly fails.

Hmmn, I didn't really consider the reliability of email when thinking about this, and I missed your point in your first post sorry, I'll have a think about this one. I have had emails which take way too long to come through myself.


(07-04-2016, 06:18 PM)Melancholy Wrote:
(07-04-2016, 06:11 PM)Kusoneko Wrote: Then, it brings us back to the issue I mentioned earlier: sometimes, emails just don't come. They're not in the inbox, and not in the spam box, even after 30 mins. How do you want to login then? Oh wait, you can't cause that's precisely how you're supposed to. Unlike passwords, which you only need to remember your own password, sending a email depends entirely on some service that sometimes randomly fails.

Ever since we switched to using mailgun's API for sending emails ~6 months ago or something, we've very rarely had an email not go through.

This could be on the recieveing side however, sometimes emails just don't come through.

[Image: 68747470733a2f2f6177772e6d6f652f683731666e372e706e67]
English animemester
[+] 2 users love RX14's post
Kusoneko
Cute sleepy lewd nekomimi
Waifu
Posts: 120
Threads: 2
Joined: Dec 2014
Reputation: 2
07-04-2016, 06:26 PM (This post was last modified: 07-04-2016, 06:27 PM by Kusoneko.)
#43702 (18)
That doesn't make email resistant to fails. The issue can come from any point between being sent from lewd's server to being received by the particular mail server that deals with one's email account. Heck, sometimes I get issues between me and the mail server. It certainly isn't your fault if the mail fails past mailgun's stuff, but it is your fault if we can't login because email is the only way to do so, and email is failing for some reason.
PetersPark
(✿◕‿◕)
lainchan
Posts: 41
Threads: 1
Joined: Jan 2016
Reputation: 0
07-04-2016, 06:30 PM
#43703 (19)
I've been using mozilla persona as my only login authentication on my website and it worked out great. I think this is the way to go and with 2fa it would be even greater. (sure an ssh key would also be awesome)
Nyan
daoko ❤︎
bulli
Posts: 16
Threads: 4
Joined: Dec 2015
Reputation: 0
07-04-2016, 06:39 PM
#43704 (20)
I feel a little too uneasy about abolishing passwords. I don't want to go to my email every time I want to log in. (and yes I know it's for every new device)

It's not a bad concept, though. Sure beats trying to remember your password for each site.
Melancholy
すけべ
Admin
Posts: 3,871
Threads: 213
Joined: Jul 2014
Reputation: 60
07-04-2016, 08:49 PM
#43706 (21)
If we do add it, we will also have SSO options; like Farcebook, Steam, Google+, whatever.

[+] 1 user loves Melancholy's post
floattube
Sharing: For a better tomorrow
Torrents
Posts: 265
Threads: 4
Joined: Apr 2016
Reputation: 3
07-04-2016, 10:16 PM
#43710 (22)
I think I would prefer passwords tbh. Just seems inconvenient to me. But it isn't my website and it isn't something that will drive me away.
seel
flat is justice
Pumpkin
Posts: 1,240
Threads: 41
Joined: Oct 2015
Reputation: 13
07-04-2016, 10:33 PM
#43712 (23)
(07-04-2016, 10:16 PM)floattube Wrote: I think I would prefer passwords tbh. Just seems inconvenient to me. But it isn't my website and it isn't something that will drive me away.

This is pretty much my sentiment regarding the email login instead of passwords. I also don't like the only other options being to login with another account of mine. I don't want to link shit just so I can login, I'd rather just input a password. None of that facebook, steam, g+ or email bs.

[+] 2 users love seel's post
Nodoudt
Happy To Be Here
Kohai
Posts: 34
Threads: 2
Joined: Jun 2016
Reputation: 1
07-04-2016, 11:30 PM
#43714 (24)
I gave the article a solid readthrough, and after the two or three times I went over it, the notion of e-mail security does seem like a novel idea, but perhaps one that needs to be fully fleshed-out in order to be implemented properly.

Personally, I feel that passwords provide a general level of security that should be suitable for most applications, and I certainly doubt that we have a wealth of valuable (albeit personal) information that is worth stealing. Of course, the e-mail system places less accountability on the website administration in the event of a breach, but the likelihood of that is very low in my opinion - especially for a small community such as this. It does seem exciting to adopt this new method of security, but I would at least advise some caution in doing so as it's still a fledgling concept.

The other point to mention is user experience.

Anyone who has ever used a forum is familiar with quickly typing in their username and password and jumping right into a thread - that's how it's always been. The familiarity and procedure of "logging in" would be the biggest hurdle to overcome. Most users might be hesitant to change over methods, but I'm sure they'd get used to it.

In all, this could be a great new way to protect Lewd's users, and the website is new enough that it can adopt the new system without too much of a fuss.

That being said, perhaps it would be best to issue a sitewide poll, and let them decide what they're more comfortable with.

- Nodoudt
[+] 3 users love Nodoudt's post
tn5421
Sharing: For a better tomorrow
Torrents
Posts: 1,370
Threads: 36
Joined: May 2015
Reputation: 10
07-05-2016, 12:11 AM
#43717 (25)
I think you should just enable 2 factor authentication, personally. I, like most other users, use some kind of password manager and this would inconvenience the large majority of us should passwords not be allowed. I think that this would be fine as an opt-in or even an opt-out measure, though, as long as there were some way to not use it.

my sc2 replays&info | my osu stuff | my steam | my HB
Do you like to read or write fanfiction?  Then please check out my usergroup.
[+] 3 users love tn5421's post