Nostr Web Client

password managers generate a unique password for each website. this means if one of your passwords leaks it won't compromise any of your other website logins.

nostr-login is a regression: if you leak your nsec then they have access to every website that you've ever logged in to.

using your npub for logging into everything is a really bad idea security wise, please be conscious of this before implementing or pushing this as a login solution to websites which may contain sensitive information.

Ava 1y ago 💬 4

💯 Been saying this since I joined Nostr.

nostr:nevent1qqszzfcz45pzkjyc2u6qj80h2ngfvpue0c4tanjnqqagsvethen4mrqpz9mhxue69uhkummnw3ezuamfdejj7q3qxtscya34g58tk0z605fvr788k263gsu6cy9x0mhnm87echrgufzsxpqqqqqqz76q8lr

Reply to this note

Please Login to reply.

Discussion

Dr. Hax 1y ago

I partially agree. My Trezor supports FIDO2, and I'm not worried about that key leaking. It never leaves the device, unlike passwords. I consider this superior to any password manager, and that's saying something coming from me!

I agree that giving your nsec to a website is sketchy. Maybe it's stored in LocalStorage and never leaves your browser, but it's hard to know and even if that's true, it still turns an XSS vulnerability into "my private key has been leaked".

So, the way people are implementing things now… yeah, no. But I think there is potential for cryptographically secure authentication, possibly by just signing each request and not even having a session token.