• @Bytemeister@lemmy.worldEnglish
    1425 days ago

    It’s different because the site doesn’t have a hash (or worse) a plaintext copy of your password to compare. If they get hacked or lose your data, your email password is not exposed.

    So it is very different than just reusing your email password, and I hope I have changed your mind.

  • @ricecake@sh.itjust.worksEnglish
    725 days ago

    It’s functionally equivalent to the security of the account recovery process.

    So it doesn’t reuse the password, since the second site can’t lose the password it doesn’t have, but it sets the limit on the security of the login to that of the security of the email providers login.
    Usually, that’s actually an improvement, since the big email providers most people use tend to enforce reasonable minimums, have good security teams, and people tend to secure their emails better than random sites.

  • lurch (he/him)English
    425 days ago

    it confirms the person trying to log in has access to the email. for example the guy remembering your password from watching you enter it, can’t use it to log in later as he doesn’t get the code.

    still, there are better ways.

  • @TootSweet@lemmy.worldEnglish
    125 days ago

    I would rather more places require email verification.

    (As lurch said, even aside from any security uses, it can be used to verify ownership of the email address.)

    People fuck up when sharing their email address a lot. And it bugs me no end when I get subscribed to something because someone mistyped TootSweet111@gmail.com when they meant TootSweet1111@gmail.com. (Not my real email address, obviously, but you get the idea.) I’ve had to unsubscribe from other people’s spam more times than I’d like to have.