Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

FWIW, some sites—like Amazon—allow multiple users on the exact same email address (distinguished by password or other identifiers)



And it is an unbelievable pain in the ass. I accidentally ended up in this situation somehow, and it took me forever to figure out that I had two different accounts with the same email.

If I log into AWS using one account (the one I've had for Amazon.com for more than a decade), I get the console with no resources in it. If I log in with the same email but a different password, I see all of my resources. Absolutely insane.


to distinguish only by password is evil. a token that can be the same over multiple accounts must not be used as an account identifier for login or anywhere else. what if i use the same password on both?


Such an insane user model!

Could you effectively DOS an account by creating thousands of shadow accounts with different passwords?

The login handler is only going to try to bcrypt so many times before timing out.


How the hell do they implement "lost password" resets?




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: