• I make websites
  • If someone is banned twice (two accounts) I want it to take them more than 5min and a VPN to make a 3rd account
  • I’m okay with extreme solutions, like requiring everyone to have a Yubikey-or-similar physical key
  • I really hate the trend of relying on a phone number or Google capcha as a not-a-bot detection. Both have tons of problems
  • but spam (automated account creation) is a real problem

What kind of auth should I use for my websites?

  • steersman2484@sh.itjust.works
    link
    fedilink
    arrow-up
    47
    ·
    7 months ago

    Create your input for email and password with the id / name “email” and “password” and hide them with CSS. Then you create the real inputs with an id like “zipcode” or some other thing that would throw bots off.

    Password managers hate this trick

    • ReveredOxygen@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      5
      ·
      7 months ago

      It’s not as bad if it’s only on sign up, because you’re normally not autofilling there. But it’s still bad for accessibility

      • Zagorath
        link
        fedilink
        English
        arrow-up
        8
        ·
        7 months ago

        It’s definitely not as bad for sign up, but it’s still a problem because usually after hitting “submit”, the password manager will detect what you just did and pop up something like “want me to save that?”