Why are places forcing nsec extentions for login opposed to just being able to use nsec like a password? #asknostr
Discussion
People like to overcomplicate things. Then pretend that it is better and easier than before.
We need 3rd party extensions to manage our keys for us because we're not able to keep passwords and strings of numbers and letters safe I guess...
Although, I think it's more where you're using it to log in that can't keep it safe....
And I think that's a fundamental flaw with nostr.
Imagine Google, FB, or Apple telling you "yeah we can't keep your password safe, you'll have to install this extension by another 3rd party to use our services." That's basically what nostr clients are saying by not allowing nsec login.
Made by devs, for devs... 🙄
Nostr clients are not Google or FB. They do not take control of your keys, do not take control of your account and therefore cannot abuse your trust.
In fact many websites do exactly what you were saying by implementing social logins. Let a tech giant handle authentication and user gets to manage less usernames and passwords... win win.
I can empathize with your viewpoint. There is still a lot that needs to be done to solve these kind of problems and many more.
I see Nostr as a hold my beer opportunity in regards to how I know to unleash its potential. It would just be nice to be able to team up with a handful of excellent devs to work together on a Nostr FOSS project privately.
Then unleash the fruits of our imaginations. To improve upon a clown world starved for quality posted content. By co-creating the best Nostr tools and apps for the daunting task of making widespread adoption happen gracefully for anyone. Whenever our work is production ready.
As you can see. Im smoking some of that good shit called having pipe dreams right now. Lol
#nostr
#dev
You seriously want to paste your nsec on their servers?
Once it’s out there… it’s out there…
Easier to pill someone explaining the nsec is the password opposed to you'll need to trust an extension with it to log into nostr things....
I just tell people..
Here’s a new internet. It doesn’t have a “login”
You use this little add-on app for your browser and it follows you around the internet so you never have to trust another server with your private key or login, or create another profile again.
Until your kid spills milk on your laptop?
Life happens... crazy things happen....right?
Boom, extention gone? Back to your nsec?
I think nsec login should be the standard baseline. This lets new people assume the risk while searching for a UI / features that fits them best thus allowing desktop/mobile and general nostr client switchablity to become easier, while not having much to lose being new. This also allows devs to make the safer "best practice option things like Amber, nsec.app, etc a subscription for the continual security they provide and earn some sats for their hard work.
I think we're trying to make nostrs "best practices" built in as standard, not paid for features and its hurting nostr growth and adoption. 🤷
I tried to self host nsec.app with no luck. I want to verify the code I’m running and what computer is running it.
If a dev has a bug in their app and you trusted them with your nsec.. If compromised, attackers could snatch your entire npub and act as you across the web
I don’t know how you backup your nsec, nor do I care to know tbh. I just know I take best practices by running my own instance of nostr:npub1wyuh3scfgzqmxn709a2fzuemps389rxnk7nfgege6s847zze3tuqfl87ez and nostr:npub1ye5ptcxfyyxl5vjvdjar2ua3f0hynkjzpx552mu5snj3qmx5pzjscpknpr even says on the page “don’t trust me with your nsec”
I know that for me I would rather take responsibility for the actions I take online at every step, best practice for that is not pasting a secret all over the place
Can you reset your nsec like a pw?
No, but what's the point of it if we have to use 3rd party extensions to manage it for us?
Do you trust you bitcoin private keys to extensions? No.
Why am I being forced to with my nsec?
Because then you are instead trusting the website with your nsec.
Websites probably don't want the accusation that they are abusing that trust so they refuse to take your nsec directly.
My brain is very smooth so please ignore me and my lack of understanding of fundamentals. But it seems to me that you have to trust somebody. So do I that with habla, coracle, highlighter, &c.? Or do I just do that with Amber?
Using just amber would be best practice on nostr, but that doesn't always fit along with adoption or growth.
Nostr best practices should be things people have to pay for, not the standard. 😉
What do you mean pay for?
Amber etc etc provides you, me, and others a continuous service by keeping our nsec safe.
Why was it made the standard and not a paid for feature?
Because of a dev with a heart o' gold?
While gracious, I feel like it being the standard sets the starting learning curve to high for new folks learning nostr imo. And that could be why were not growing as fast as we could and should be.... 🤷
Personally, I don't think fast growth is an inherent good. I think a lot of wrinkles probably need to be ironed out. Shoot, Nostr might not even be that platform. I see a lot of rapid development here, which is great, but I don't think it lends itself to mass adoption
It's a feature, not a bug. It's the whole point of nostr. Not giving up control of your account to platforms. Using an extension or app to manage your key is unavoidable and best practice for a protocol such as this. Just like Bitcoin. You don't go plugging your private key into several apps, right?
No, but, I can if I wanted to....
See....Best practice, doesn't always fit with adoption and growth.
Nsec logins should be accepted every where at minimum.
Do I need a login extension for #amethyst? No.
I paste my nsec, and I have my account back after flushing my phone because we didnt hit 100k today. Easy.
Hard to purple pill folks with things being this irritating just to log into things nostr related.
Right, for noobs it might be the best option