Have been wondering about this in terms of how safe/secure it may be to use them. Not that a Lemmy account is exactly something to fret a ton over, but I always appreciate a little more peace of mind.

Searching through here I found where Alexandrite’s dev gives a rundown to someone asking in regards to their work, but I didn’t surface similar for others. I’ve tried running some broader searches but haven’t had a ton of luck, so thought I’d ask.

  • ALostInquirer@lemm.eeOP
    5·
    1 year ago

    Thanks! Appreciate this for Lemmynade’s specific process.

    The main danger with the current method of authentication is that you are providing your raw password to a third party, meaning if someone wanted to be malicious it’s fairly easy to do.

    I was thinking that might be the case, but wasn’t sure if it might be some slight tech-paranoia on my part. Was particularly surprised when the apps I’ve looked into didn’t have a redirect to your chosen instance to sign in via browser or something and do a sort of hand off back to the app, but I’m guessing that may have something to do with the current state of Lemmy’s development.

    • silas@programming.devEnglish
      6·
      1 year ago

      Yep, that’s OAuth you’re talking about! It needs to be implemented into Lemmy directly first before any apps or clients can upgrade to it. I’m not too clear where we are in the conversation, but I know one point discussed is that OAuth (and especially another method called OIDC) lean towards something centralized for authentication, and that goes against the decentralized nature of Lemmy.

      For now, the best things you can do as a user is:

      1. Decide which apps, clients, and developers you trust. Inspect privacy policies, ask questions, and review code if possible
      2. Enable 2-factor authentication
      3. Use a throwaway or aliased email (through SimpleLogin or similar)
      4. Use a unique password—one that isn’t used for any other accounts you have