Fair! I did think about this a lot. Initially, I also thought "8 characters of any kind" are fair enough. Then read a lot and decided a bit more security would be good. But honestly, given what you wrote, I did find myself happy that I had an account before this security measurement. So I guess, I'm of your opinion.
However, the app does not enforce lowercase/uppercase. It uses Laravels uncompromised() function which I think makes sense. It checks against https://haveibeenpwned.com/Passwords.
I'm happy to discuss length! But I think the uncompromised makes sense. But happy to hear any arguments!
If it makes it harder to register, that is still an argument and must be discussed against the argument of security. I'd love to hear other peoples thoughts here since security vs usability is always a complicated thing.
Don't make your password requirements less strict. Don't encourage people to use weak passwords that are likely shared across sites. That leads to pain and suffering over the long term.
If you want to reduce friction for people who don't/won't use a password manager, provide a passwordless option like a login link that is e-mailed to them. Yes, people will likely complain about "your service is supposed to be my email, why are you requiring an e-mail to login", in which case they should be using a strong password.
To the person requesting weak passwords: Just set up google or firefox password password manager, it will auto suggest a strong password on the registration page and save it for use across devices. There is zero reason to be using the same password across accounts, and a lot of reason not to.
Attackers do actively try passwords you have used on other sites to try to compromise your accounts elsewhere. This happens when services leak passwords or password hashes. If your password is short and lowercase, it really doesn't matter if only your password hash has been leaked, it might as well have just been the password itself. This is the lowest-hanging fruit for attackers.
Thanks for your opinion. I appreciate it. I think that makes a lot of sense.
I also like the idea of passwordless, I'll definitely have a look at that!
There really are only two dials you can turn to increase the security of a password, and that's length of the character set (the characters that the user can use in their password) and length of the password itself.
People should be using a password manager, then they can set that to 100/200 characters. Even if all lower case, it will be unbreakable (assuming a modern/secure one way hashing algorithm, and the password manager is truly random.).
If they are not using a password manager and use something like `waterfall!X` (because you enforce a special character and capital letter) you haven't actually increased entropy by that much, compared to a longer password. Them making up a 100 character password will almost guarantee more entropy than a short password they make up like `waterfall!X`
Yes, I did read up a lot about password security the last few years. But still, I'm worried a very secure policy restricts people from registering at all, see case above. What would you say is a good compromise?
Another thought I have discussed a lot is, this app is not something critical. It's not online banking, it saves very little about you (as little as possible), etc. - so what does this say about the compromise? If an account was to be compromised, an attacker would only have access to the todos, music, notes of a user. Now, todos and notes could be very telling, but I'm unsure about how much of a responsiblity I have as an admin to save users from this? Do you know what I mean?
Yeah I understand. I think my point is don’t add any other friction to the password strength other than length. If you want more security increase the min length, if you’re happy with less, lower it.
I’d personally have a 12 length password enforcement, a password strength meter and nothing else. Possibly less if you introduce 2fa.
I’ve been building something over the last year, with probably 1000 hours going into it. A personal management app that does almost everything while being privacy-focused, no-bullshit, open-source and selfhostable. It’s called solyto.
I've been frustrated for a while with what's out there. I'm a data hoarder and love to organize things, but I kept jumping from app to app - started with Notion, but was frustrated with speed and then privacy issues. Switched to Obsidian, tried to do everything there, but figured Obsidian is great at notes, but wasn’t meant for writing custom JavaScript code to build libraries. Tried AnyType, found it confusing. Tried lots of other apps and was annoyed by pricy subscriptions, useless AI features and lots of “you should do this” things. There are great open-source options for most everything, but being a software developer at work, I really didn’t feel like stitching together 6 apps to do what I want and also, I found that’s not accessible to everybody.
I just wanted an app that does what I need in my daily life, that is easy-to-use and no-bullshit. So I built solyto. It’s completely free, open-source, self-hostable and community-focused. I’ve been using it with a couple of my friends for half a year and have replaced pretty much every other app I’ve been using. I’d love for this to be useful to others as well and to be some kind of community project - people suggest or wish for things, I (or other contributors) build it and that’s that. No company shit, no money incentives, no other motives.
It does todos, notes, calendars & contacts (with DAV sync to your phone), music library, book library, games library, news, daily trackers, finance tracking, time tracking, well basically almost everything I could think of. And if a thing you’d like is missing, I’d love to build it!
If any of you would like to try it out, you can do so via the website or via GitHub for selfhosting. We have pre-built images, compose files, etc. If anything is missing, let me know!
Anyway, I'd love feedback on this. Any kind of feedback! And of course any questions are also welcome.
Hi Leo, using a valid email and password I get a "There was an error with your registration" error.
Also I wonder... How sustainable is this? Free is great, but what is your income/maintenance model? E.g. you offer calendar which even many paid email providers don't offer.. :-)
Thanks for what looks at the surface like a very sleek tool.. i haven't been able to see it on substance.
Hey gooba!
Thanks for wanting to try it out. And sorry, you ran into this issue.
It appears Laravels throttling function doesn't work well with my reverse proxy setup. I have disabled it for now. I have just tried it out and registering works again.
Again, sorry for this. This is my first publication attempt and I fear some issue will only show this way.. however, I'm here and happy to fix everything on the fly :)
Oh, and I missed the middle part of your post. Fair question! I do think it is quite sustainable. For that to make sense you might have to know me better, but my perspective is I have a good paying job, I have money and especially time to spare and I want to make things better. So I'm honestly happy to spend money AND time on this to be sustainable. I have a very capable root server to run this on and I have money already reserved to get another one. I'm getting by just fine and I'm more than happy to spend some hundreds of euros a month to make the world a little easier/better for people. I'm also happy to spend my time for this.
I did think a lot about monetizing it, but really I feel like that would skew the whole idea of the app. I want this to be for the community. We struggle enough with enshittification anywhere. I'm in a privileged position where I can build and maintain this. And it's available for self-hosting, so anybody can do so as well.
Now, if we were to hit an insane amount of users, the question might have to be tackled again, but that's far away and I think with the infrastructure I have and can get with my allocated "solidary" budget, It'd really have to get to insane amounts to actually be an issue.
So I'd like to think it is indeed sustainable. I'm doing this to be sustainable. I want to build something people appreciate and use. I'm happy to spend lots on it!
Danke Leo,
Seems to work again! Very nice and fast onboarding. To be honest I signed up without a specific use case so have to figure out what I really want to do with the tool, but I'm impressed at the sleekness and speed. Eversthing sleek, unitary design, feels well developed and mature. Very impressive for a freshly launched product!
Small suggestions:
* maybe default-disable some of the modules people are less likely to use (e.g. finance). After doing the selection the onboarding-per-module tries to go through everything - maybe easier to start with 3-5 default and then invite people to add? It feels a bit overwhelming if you don't really know what you want yet. But that might all just be me.
* I noticed DE and ES are "du" but FR is "sie", not sure that was intended, I guess it's AI misinterpretating the prompt (or maybe the eternal DE-FR feud made the "vous" a conscious choice?). The German is also a little clunky but that's quite normal for translations..
* Some info on how to export would be great (e.g. MD notes)
* Maybe you want to make a slight narrative change, from "sign up for free" (which I read first as indicating that a payment requests comes later) to "sign up - it's free" and summarise a bit your philosophy as above to make clear that you intend to keep it that way - but maybe it's already there and I missed it :-)
Tolle Initiative und immer schön zu sehen wenn Leute versuchen die Welt besser zu machen!
Hey gooba, danke danke danke!
I'll have a go through all your points tomorrow, greatly appreciated! Especially since when you work on something for so long, you just can't see things with fresh eyes anymore. So it really is great to get feedback like yours. So thanks again!
I'm a full-stack software dev, proficient in AI but also sceptical. I've found that staying away from the hype is key. Stop thinking about "WHAT COULD THIS DO", but rather try to find cases where LLMs actually benefit. I've seen so many projects trying to throw LLMs at things that could have been solved deterministically.
My personal opinion is: LLMs give you the power of language. So far we could define rules, based on structured data, we couldn't process unstructed data that well. Now we can use LLMs to take any kind of input and either create responses to it or transform it to structured data. That is a huge leap of advance. But also, there are a million cases where it's not necessary.
On the side, I'm working for a NGO caring about sustainable finance. They have a manually gathered database, they have lots of resources, but most users couldn't care enough to actually click through everything. So offering a chatbot to make that data available seemed reasonable. It works, quite well, and still most requests are so trivial you could have just blocked them.
On my paid job, I'm working for a german radio/tv broadcast station and they're trying to involve AI in solving simple internal user issues. It seems to work quite well. We've built a RAG system based on Qdrant and LlamaIndex and it provides all available information in a format users couldn't find before - because the systems were chaotic and complciated. So in my book, that's a good use case. Users in a very complicated environment with lots of information.
I've worked with OpenAI API, Anthropic API, Azure Foundry, local models, IONOS Model Hub, etc. One thing that keeps coming up is privacy and (in Europe) GDPR-compliance. Use the capabilities of LLMs without sacrificing data that should not go into the next training round.
Anyway, I think LLMs offer a lot of possibilities, but many people tackle them from the wrong side - "what could we do with this?" instead of "what problems do we need to solve?".
What I have asked myself the last few months: I've read about IPv4 becoming sparce a few years ago. I haven't read much about it lately. And I've thought maybe the advance of cloud computing and load balancer kind of mitigated the issue of sparce IP4?
It officially started becoming scarce in 2011, when IANA, and then APNIC, depleted their IPv4 "free" pools, FWIW. Things have only gotten worse from there.
Cloud computing doesn't mitigate IPv4 issues, it just moves it around. The big cloud providers buy up any IPv4 space they can, leaving less for everyone else. The difference is that they then get to collect rent, by the hour, on any IPs their customers use.
Load balancers...yeah, actually that is a valid approach to reduce IPv4 use, assuming you mean the "reverse proxy" variety of load balancer. Cloudflare's proxy service is doing exactly this, on a pretty huge scale. (CLoudflare can then send the traffic on to an IPv6-only server, regardless of the client's protocol.) The downside is, like cloud, consolidating a lot of infrastructure into the hands of a small number of companies.
That's actually crazy. So I can build a project I love, that does good, but somehow get in a situation where I'm accidentally paying 30.000€ (or 50.000€) to a big tech company? How is that fair? I mean yes, as a software engineer, you ought to reflect on all possible weaknesses, but there was a time when overlooking something meant something completely different than being down 30/50k. That is actually life-altering.
Your kid can do this in a smartphone game designated suitable for children, heavily optimized to exacerbate the possibility, and depending on where you live they can just choose not to refund you.
When the FTC went investigating a decade-ish ago they found Facebook saying the quiet parts out loud: it was all extremely deliberate.
you cannot earn billions a year and not be cheating your users out of their money. its that simple. they dont care for people, otherwise they wouldnt be putting so much effort in making them poor.
agree. the real problem isn't that hard caps are "technically impossible" — it's that the incentive to build them is backwards. a hard cap that stops a runaway process costs the cloud provider money. a "budget alert" that fires after the fact costs the customer money.
the 10-minute delay in billing processing is doing a lot of work in that logankilpatrick comment. at $4k/minute burn rates, that's still a $40k exposure window
If that happens, you create a support ticket and AWS/GCP/Azure wave it, especially the first time. They're aware that billing per usage can have surprise effects, but at the same time they don't want to kill their customers' workloads and delete their data, so it is what it is.
Exactly! I know, some of those companies sometimes refund you, but if your livelihood depends on it..? That's a crazy situation to be in as a mere developer.
It's quite easy to check responses to other customers in other threads there, and somehow I see quite a lot of "oh, go to that other support" and ghosting.
If you create support ticket on hacker news, then yes, you will probably get it waved. It's somewhat sad that HN is their support forum now.
Google has specifically said that certain API keys like Firebase are not secrets (since people will find them)... though Gemini then ended up changing stuff. https://news.ycombinator.com/item?id=47156925
Honestly, if every software project ran an AI-based security check over their code, the software world would probably be more secure. Of course, there are lots of projects who don't need that, having skilled people behind it, but we've seen many popular software projects (even by big companies) who didn't care at all. So even a basic model would find issues.
Also, I find myself thinking more and more that the ability to pay for tokens is becoming crucial. And it's unfair. If you don't have money, you don't have access. Somehow, a worsening of class conflicts. If you know what I mean.
Not only that, even if you would like to pay, the best model providers could decide any day that they want to save on cost, so they nerf the responses. Then you shipping on time is at the mercy of these companies.
If you spend months shipping slop, because “models will get better and tomorrow’s models can fix me today’s slop”, what happens when they not only do not get better, but actually get worse, and you are left with a bunch of slop you don’t understand and your problem solving muscles gotten weak?
IMO this is the only way model providers can survive in the long run, bank on their users overreliance on them resulting in diminishing capabilities. This gives them leverage to increase prices without any pushback
Good point indeed! I've been feeling Claude Code has gotten worse for a while now, read many articles on it, overall probably due to cost saving. But if you set your things up to depend on it, that becomes a huge issue.
All the news regarding AI finding weaknesses or "hacking" stuff - is that actually hacking? Isn't it also a kind of bruteforce attack? Just throw resources at something, see what comes out. Yea, some software security issues haven't been found for 15 years, but not because there were no competent security specialists out there who could have found it, but most likely because there is a lot of software and nobody has time to focus on everything. Of course, an AI trained on decades of findings, lots of time and lots of resources, can tackle much more than one person. But this is not revolutionary technological advance, it is an upscaling of a kind based on the work of many very talented people before that.
I think that this waters down "brute force" to the point of meaninglessness. If employing transformer architectures trained on data to hack a system is the same as using a for loop to enumerate over all possible values, then I have to ask, can you give an example of an attack that isn't brute force?
Well what kind of meaning do you find in brute force?
I'm not saying it's not effective. I just critisize the news that make it look like AI is the a revolutionary advance in security. It is not. It makes skills available to many more people which is cool, but it is based off of training - training on things people did. It doesn't magically find a new combination of factors that lead to a security issue, it tries things it's read about. That's not meaningless. It could even be democratizing in a way. I just hate all this talk that "this model is too scary to release in the world".
But I'm happy about any feedback or critique, I might just be wrong honestly.
I'm not the person who responded to you, but I think of a brute force attack as essentially translatable into brute (dumb) force (effort). No thinking, no decision making, but the process is known. Here is a pile of stones, move that pile of stones from here to over there. In the case of most brute force, you think of it like cracking passwords. You have an algorithm or you have a giant pile of passwords. Move those passwords over to try them on this hash. The processor is doing the heavy lifting on the simple task.
Philosophically you could try to differentiate between the human side of the effort versus the computer side. You could also differentiate from a really dumb model and a really smart model. A dumb model just spinning its wheels and hoping it gets lucky, versus a smart model actually trying intelligent things and collecting relevant details.
In these cases I think we're assuming a sufficiently smart model making well reasoned headway on a problem. Not sure I would fall on the side of the camp that would label this as brute force by default in all cases. That said, there may be specific scenarios where it might seem fitting even when using a smart model.
Enshittification at its best. I used Postman for several years before it become unusable for me. Didn't actually think too much about it, tried several alternatives (ApiDog, Bruno), but none came to the comfort Postman gave me before that.
Now I understand if engineers spend lots of time on software, somehow they need to get paid. But I still believe, there is a more authentic and acceptable path than what most companies do - make people dependend, make the software worse, introduce subscriptions, force you into plans, etc.
I haven't found a good substitute yet. I use Bruno, I use ApiDog, but they feel a little cumbersome at times. Good enough, but not great. I'd had loved to stay with Postman, but I'm not paying that money for a an API debug client.
with my team we built Voiden for some of these reasons, initially for our own internal use (building many APIs for our SaaS marketplace). Most of the folks in the team have been postman power users before so we do remember the time when this was indeed something new.
Problem now is that most of the alternatives out there (including the ones you mentioned) do offer some great things but essentially they feel variations of the same concepts - so I see them as "Enshittification on the way". Reason we built voiden is that we wanted something that challenges these ideas. You can try it out and let me know if it resonates: https://github.com/VoidenHQ/voiden.
apologies for the slight promo - but based on your comment I thought it might be relevant.
I do agree that the overall tendency towards cloud has made things much more complicated and expensive than they need to be in many cases. Cloud has its place, but so do simple server instances. Many projects won't reach any kind of scale that would exceed the capabilities of a medium-sized VPS. We're running a page with 600k users at work that could easily fit on a 30€ VPS. Instead, we moved to AWS and are now paying 800€ for it. No benefits whatsoever.
So yea, stick with what worked for decades if you don't see a reason not to.
Also, I remember reading that StackOverflow runs on a bunch of super powerful root servers?
What the hell. First, I thought this was crazy. How could you do anything crazy with curl? But of course, curling a bash script opens lots of opportunities. Given the right permissions, you could run an enterprise Jira server via only a curl to a bash script.
Still cool that people find more ways to play doom, but calling it "via curl" seems a little missleading to me. "Playing doom via a simple bash script" would have felt more appropriate.
Isn't it literally playing it via curl though - curl reads STDIN and transmits that to the server, which responds. The whole bash thing is completely optional and only saves you some tty setup.
However, the app does not enforce lowercase/uppercase. It uses Laravels uncompromised() function which I think makes sense. It checks against https://haveibeenpwned.com/Passwords.
I'm happy to discuss length! But I think the uncompromised makes sense. But happy to hear any arguments!
If it makes it harder to register, that is still an argument and must be discussed against the argument of security. I'd love to hear other peoples thoughts here since security vs usability is always a complicated thing.
reply