Ava's avatar
Ava ava@nostrplebs.com 1 year ago
๐Ÿ’ฏ Been saying this since I joined Nostr.
jb55's avatar jb55
password managers generate a unique password for each website. this means if one of your passwords leaks it won't compromise any of your other website logins. nostr-login is a regression: if you leak your nsec then they have access to every website that you've ever logged in to. using your npub for logging into everything is a really bad idea security wise, please be conscious of this before implementing or pushing this as a login solution to websites which may contain sensitive information.
View quoted note →
โ†‘ Parent

Replies (4)

Dr. Hax's avatar
Dr. Hax Dr.Hax@hax0rbana.org 1 year ago
I partially agree. My Trezor supports FIDO2, and I'm not worried about that key leaking. It never leaves the device, unlike passwords. I consider this superior to any password manager, and that's saying something coming from me! I agree that giving your nsec to a website is sketchy. Maybe it's stored in LocalStorage and never leaves your browser, but it's hard to know and even if that's true, it still turns an XSS vulnerability into "my private key has been leaked". So, the way people are implementing things nowโ€ฆ yeah, no. But I think there is potential for cryptographically secure authentication, possibly by just signing each request and not even having a session token.
โ†‘