Oddbean new post about | logout
 So are you working to do any of this? Or just telling us how to do it? I hear lots of security experts who love to tell me how to do things but most don’t either talk to actual users or build systems for other people to use. It’s like all the security experts getting pissed at Signal for using phone numbers but nobody built a version that really worked without phone numbers even though it’s open source and they kept saying it’s really important. 

Or how security folks tell users to not reuse passwords but it was a couple decades before people admitted that was an insane impossibility and switched to passkeys that come with managed software. 

We created oauth to solve this same basic problem. Keep users from putting user names and passwords in random apps. The effect of platforms switching to using oauth meant that all power got concentrated in centralized platforms. 

I’m sick of security researchers who tell us how software should work. Think we’re doing it wrong, build a better solution.