Can you give me an example of a UX problem that you attribute to the password manager? That'd help me understand.
I often hit problems with 1Password's autofill on particular websites, but by and large I blame the website. Few examples:
* one website expects me to type the PIN then a Symantec VIP OTP token into a single field called "password". That's a (possibly deliberately) password manager-hostile design. I finally got annoyed with it enough to use an open source project called `python-vipaccess` to create a proper `otpauth://totp/...` URL I could add into 1Password and wrote a TamperMonkey script that added separate autofillable fields that would get concatenated automatically. Now 1Password works fine.
* frequently websites will complain about needing a valid credit card number after autofill. I have to go to the field, delete the last digit, add it back, tab away, then it works. I think they have just used the wrong event handlers and never tested it with autofill.
* they often will skip `autocomplete="new-password"` attributes, so my password manager will look for a (nonexistent) current password rather than prompting me for a new one, and/or they won't have the username and new password fields ever in the DOM at the same time so the password manager doesn't save it properly. (Even if it makes sense in terms of user-visible flow to do these in sequence, they can still leave the username in as a hidden form element for the benefit of the password manager.)
I've also hit UX problems in 1Password itself, for example the "quick access" pop-up doesn't reliably appear on the current Space in macOS. (Confusing and annoying to have to switch to another to see it.) But they seem less common.
Thanks for the feedback. It's certainly a challenge to make 1Password work on every website that exists, and even more so to keep it working over time, especially with old items that people created years ago which no longer match the site. We do have a whole "filling and saving" team dedicated to the problem, and we do follow up when users report issues with sites.
I'd love to look into the Quick Access placement. It is supposed to appear on all spaces and sets an NSWindow property to do so. Is there anything particular that you think triggers it (multi-monitor, full screen apps, etc)?
> I'd love to look into the Quick Access placement. It is supposed to appear on all spaces and sets an NSWindow property to do so. Is there anything particular that you think triggers it (multi-monitor, full screen apps, etc)?
Thanks! I haven't seen it in a while, so maybe it's been fixed by either a 1Password or macOS update or is specific to a setting I since changed. But I'll keep my eyes out for if it happens again. I do have a multi-monitor setup.
I do see right now that if I'm on a full-screen app, 1Password's quick access window doesn't show up; if I move to the next space over I see it for a moment and then it disappears. In contrast, Spotlight search will actually pop up directly over my full-screen app, though knowing Apple they could be using some private API for this behavior.
These are tiny paper cuts that add up to pain, like the ones you mentioned that affect me/a tiny portion of the user base so they aren't worth fixing. Is the justification I'm sure that's being made. For example, if site auto detection that you're submitting a form fails that you laboriously have to add field elements in and if the editor is on a different workspace on mac you have to go to the application space/desktop than three finger swipe back to the browser space/desktop and then back to the application space/desktop and then back-and-forth to fill in four different security questions. Tiny stuff like that that really adds up, that make password manager usage go down.
> These are tiny paper cuts that add up to pain, like the ones you mentioned that affect me/a tiny portion of the user base so they aren't worth fixing. Is the justification I'm sure that's being made.
I think it's not only that but also that making site-specific changes (as I did with a TamperMonkey script) is fragile and could get them into trouble if their changes do the wrong thing (immediately for everyone, for some users, or after some site change). Might be better from their perspective to honor the site's stated intent even if that intent is questionable. In my top example, the "password" field actually is a password if the user hasn't enabled 2FA, so the changes I made wouldn't work for 1Password to apply to everyone. They could detect the label "PIN + Token" to gate it, but what if that text changes in a redesign or is sometimes localized into another language? and so on.
In the broadest sense, I agree there are big UX problems, but how much should we expect the password manager to do unilaterally? fwiw even when a bunch of players got together to make broader changes, we ended up with passkeys, which are far from perfect in many ways. (The flows about scanning a QR code from one device to another, without necessarily even knowing which device has a working passkey for that site... the simultaneous confusing offers of different ways of signing in... try talking your vision-impaired father through that over the phone.)
> if the editor is on a different workspace on mac you have to go to the application space/desktop than three finger swipe back to the browser space/desktop and then back to the application space/desktop and then back-and-forth to fill in four different security questions.
Yeah, that sounds similar to my own complaint about quick access opening on the wrong Space, just applied to the main window instead. And of course when you have to use the security questions something else has gone really wrong, like the main password having changed on the site without having changed in your password manager.
* One way I've seen this is when people have overlapped usage in two different password managers (1Password vs either Google Passwords or Apple Passwords). They have import and export (except for passkeys), but it'd be nice if they had an incremental version to help you get out of this mess if you weren't disciplined in switching over all at once.
* Another is that when you change the site's password even while using the password manager, the actual site change and recording it in the password manager's database is hardly transactional. You can click the password manager's update pop-up even if it failed, or not notice it even if it succeeded. Again not really sure how they would address this unilaterally.
> I just hit one. Creating a new document in 1Password, the name of the document isn't preselected, so I have to hit delete to name it. Lots of little tiny shit like that.
I can't expect them to serve every website on the Internet, but a button on 1Password that was in the context menu for the extension that was "report this site is not working 100% perfectly", and they had a team to come in and check up on the site and extract way to improve their software.
I remember another stupid annoyance. There was one site where passwords were limited to eight characters but the way they password manager entered the passwords. It passed more than the characters along as the password so the password would fail if it auto filled, but if I copy and pasted or typed it manually it would work because the JavaScript had a chance to truncate. The fact that this site was limited to eight character passwords all other conversation, but that was super annoying until I figured it out.
Anyway. I have a love/hate relationship with my password manager.
(I'm Mitch from 1Password.) I do appreciate reading about these kinds of paper cuts and always follow up on them when I see them. We are going to address the item title issue next week, so thank you for that one.
It's true that sometimes very small/simple issues that affect some portiion of people can go for a long time. I'd like to find a better way of identifying these and getting to them quicker than just crawling through HN posts. If you have any thoughts or at least issues you'd like us to look into, always open to hear more.
I just hit one. Creating a new document in 1Password, the name of the document isn't preselected, so I have to hit delete to name it. Lots of little tiny shit like that.
ceejayoz> You want to let every merchant I swipe my card at know my age? To improve privacy?
Remember the site guidelines:
SG> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize.
The obvious solution is instead of "every transaction comes with the user's birthday", the vendor can in some way set a minimum age enum of say (13, 15, 18, 21, 25) — a handful of ages that are significant with respect to some law or regulation. Then the transaction succeeds or fails.
As I understand it, Hawaii had environmental concerns with ferries (requiring a review that was never completed), specifically whale/ship strikes and the risk of car-carrying ferries transporting invasive species between the islands. [1] I'm unsure if other islands would have similar concerns about cargo ships or not or if the environmental review would have been satisfactory if they'd just done it on time.
I'd expect ferries and/or small cargo ships to be an attractive option if allowed.
The super ferry was incredible. Being able to drive your car on a different island was such a game changer vs buying flights for the fam and then having to rent a car. I miss it!
I don't think people are upvoting this for the fact at the top of "say something surprising" [1], but it indeed surprised me:
> I can write 500MB/s to a hard drive? that's so much!
Turns out a Seagate 2X18 can write at 528 MiB/s according to its spec sheet. [2] My rule of thumb was that HDDs could do like 100MB/s (aka 800 Mbps) but I guess between density improvements and this new "dual-actuator" class, it's gotten a lot faster. HDD seek time has basically been stuck for 30+ years and probably will remain so but capacity has increased a lot, and the throughput for sequential access probably should scale with capacity [edit: times rpm, thanks Retr0id]. For a while I think it wasn't increasing, but I guess they decided to fix that?
SSDs of course can do way more than 500 MB/s, and you can do better by compressing as you write (depending on your data), and you can stripe across multiple HDDs, but it turns out none of those are necessary.
Meta's first five buildings took between two and three years to build, but Williams is almost done building out 200 MW (additional) off-grid power plants in a year, and to match that they're putting their equipment in tents. That raises questions for me:
* Did they expect the next five buildings to also take between two and three years to build if done in the same manner? I'd hope it'd be significantly faster the second time because they've perfected the design, found good local contractors and suppliers, etc.
* How much of the time was the actual structure vs. all the stuff inside they still have to do with the tents?
* How long are they expecting to keep this? Are they anticipating extra problems like leaking roofs?
* What are the "off-grid power plants"? Is this basically a whole bunch of diesel or natural gas generators? [edit: oh, yes, "The site is also powered by 200 megawatts of modular gas turbines". I wonder if they're trucking in the fuel too.] If so, yuck.
I would guess the real problem is contractors are bottle-necked in good times, but not stupid enough to expand - knowing that bad times will come and they have to pay for all the expansion. (humans can be laid off, but you still need to make the payment on the bulldozer)
That makes sense. Although I have to pick on your example a bit: wouldn't they still need a concrete foundation for all that weight and thus still need bulldozers? Still unsure how much of the work they're actually avoiding.
It's funny because at first I thought it made sense but the more I think about your question the more I'm skeptical. You still need the rack. Power distribution. Data lines. Cooling lines and whatever those connect back to. All the stuff that would have been embedded under the floor has to go somewhere (labor) and still has to be assembled (more labor). So they're saving time on what, the cement and steel shell?
Or is this a building permitting issue where for some reason the bureaucracy surrounding a permanent structure is expected to drag on for years but somehow they got the tents permitted rapidly?
> Or is this a building permitting issue where for some reason the bureaucracy surrounding a permanent structure is expected to drag on for years but somehow they got the tents permitted rapidly?
Good point; some permit loophole might make sense.
It occurs to me this also could still turn out to be a giant failure: these may all still be unpowered, empty tents. They might end up taking two to three years to turn on, might never get a critical permit at all, etc. I'm vaguely recalling some story from Google's past. They had an experimental datacenter (`pq` maybe?) built out of shipping containers. There was some way they had hoped this would be cheaper that (iirc) didn't work out at all because the local fire marshal declared each shipping container to be a full structure and thus an unexpected set of regulations applied. and/or each may also have been required to have an emergency power-off button for the entire facility, which were hit by accident more than one might hope. They never built a second datacenter with that design.
Also remembering that for a long while Google's Dalles, Oregon site had building 1, building 3, and an empty concrete slab between them called building 2. I suppose Meta could have done something similar and had the slabs ready to go long ago.
I think the distinction __s is making is between layer toggles (layer is active between layer key presses, described as stateful) vs layer modifiers (layer is active while layer key is held).
And there are definitely reasons to minimize keyboard state. I've been playing around with programmable keyboards (running RMK in my case) with several thumb keys. My thumb was getting fatigued, so I tried using a layer toggle to avoid having to hold it while using the nav layer. I would hit it by accident and then get confused about why my keyboard isn't doing what I expect ("mode confusion"). That gets awkward, unproductive, and embarrassing real fast. You can display the mode via per-key LEDs and/or an OLED display, but those only help if you actually look down at the keyboard, which is not my habit. (I have thought about using a companion app to display an overlay on my computer's screen when in a non-default layer.)
fwiw, I think most of my thumb fatigue was from using my thumb on modifier keys beneath z/x/c and equivalent on the right, which required folding my thumb underneath my palm. Bad idea.
These keyboard designs have some really interesting ideas, but the ideas aren't all unambiguously good. Some of what are described as thumb keys really shouldn't be used with the thumb. I'm still on the fence about column stagger. I think a lot of the reason people avoid the number row on these keyboards is because the purely vertical reach on a column-staggered keyboard is more awkward than the diagonal movement you make on a row-staggered keyboard. And the idea that column stagger is better because it forces you to use e.g. the ring finger for "c" is based on an idea that it's bad to use the index finger for "c" even with a row-staggered keyboard, and I disagree with that. I also think they're undervaluing muscle memory (or maybe were made for people who never learned to type well on a row-staggered keyboard and are really committed to always using the column-staggered keyboard).
I'm typing on a SoflePLUS2 right now. It's based on the Sofle v2 design, which is described as having a 5-key thumb arc per side. But I try to limit thumb use to the innermost 2 or 3 keys per side after experiencing fatigue. I use the outermost 2 or 3 as opposite-hand modifiers (ctrl, opt, cmd) and try to pull my whole arm in to use them with the same-column finger, instead of treating them as a thumb key that requires folding my thumb underneath my palm as I keep my hand in the home position.
It seems like many in the ergo keyboard crowd are trying to never move their hands from the home position, and I think that might be a mistake. Use a variety of muscles, avoid unnatural positions. More broadly, my understanding is that the research behind using a tented/splayed split keyboard is solid (better shoulder through wrist positioning) but there's nothing really but anecdotal experience supporting the idea that vastly reduced key counts (and associated need for complex layer setups) or column-staggered layouts reduce pain and plenty of confounders (going from unibody to split simultaneously, maybe switching from QWERTY at the same time too, reducing speed, often learning decent form for the first time, often regression to the mean because people switch when they are having problems).
My previous keyboard was a split with traditional row stagger (Goldtouch) that Google's ergo team advised me to try forever ago. I switched recently because I wasn't liking the mushy feel of the keys, that the two "space bars" weren't distinguishable, that it doesn't have an integrated pointing device, and that after such long use I'd worn down the homing indicator on the f/j keys and was struggling to orient my hands correctly. But row-staggered layout was fine IMHO. Made it easier to learn, to switch between it and other keyboards when I had to, and to hit keys further from the home position.
Here's something from Kinesis, who have been designing split ergonomic keyboards for a long time: https://kinesis-ergo.com/wp-content/uploads/Advantage360-ZMK... search for "If your thumbs are sensitive" and "Guidelines for using your thumbs". And note that while they have keys under z/x/c they do not describe them as thumb keys.
In an earlier thread, I wondered [1] if "concentrating around AI-native talent" in a round of layoffs was code for "we're firing all the old people", if "AI-native talent" meant people who had never learned how to do things without AI. Many folks said no, of course not. Well, in this case digital ocean has removed all doubt; "AI-native" means exactly that:
> Most of the engineers in this cohort are early in their careers. That was intentional. ... Engineers entering the field today don’t think of AI as a tool they’ve had to adopt. It’s simply how they build. That fluency isn’t something you retrofit into someone; it’s something you hire for directly.
Gosh, that seems like a conclusion someone came to using AI lol.
I agree that intuition is important, and that it's sometimes easier to develop correct intuition without a conflicting bias/habit, BUT... I don't think traditional engineering skills conflict with using AI tools. If anything it's more important, but maybe that's just the recently sprouted gay hair on my head talking
Totally agree. They even vibe-wrote the paragraph I quoted.
I'd go so far as to say people who prompt AI to do something they can't do themselves are essentially non-technical management. I'm not a fan of non-technical managers of humans and similarly not a fan of this approach to AI either when quality really matters. (IMHO it's actually great for prototyping.)
The idea you can only learn to prompt well if you learned prompting before learning how to do the work yourself is strange, maybe even completely backwards. I've never heard teachers say to learn how to do math with a calculator then memorize multiplication facts later. Or anyone say the best managers are ones who first started in management and then developed technical expertise. Why are they so committed to the idea that this skill is so different than all the others?
It's probably a very convenient fantasy though for management types to think these expensive later-career people are useless or even harmful. And maybe said managers are non-technical themselves and don't understand the problems this creates.
Is there a particular domain you'd like to get into? It sounds like you're wanting to build expertise in something other than CRUD app assembly, but my language recommendations might change based on whether that's embedded, game development, distributed systems, system administration, etc.
I don't think in your shoes I'd prioritize learning Zig for any of these domains, though, for a few reasons:
* It's not a pre-req for understanding some existing corpus of important software (which is a big reason for C and C++ in 2026) or the language of choice for some current hot domain (as Python is for AI).
* It's not memory-safe, which (whether via GC or Rust's borrow checker) is increasingly viewed as a critical security attribute.
* It's not stable yet, so I'd expect a certain amount of running to keep in place both in your learning and in avoiding bitrot in anything you write in it.
* From the outside, the community seems strangely hostile as well as elitist.
A few I might suggest instead: Rust (both as a language I personally like and as the most different from the ones you've already touched), Go (which is a good choice for employability), SQL (maybe you already know this one if you're doing CRUD stuff but you didn't list it), bash, and more Python and/or TypeScript.
Hmm. I don't do game development myself, so take this with a healthy dose of salt. But...not necessarily. I think game development might be one of the more varied of the domains I mentioned. If you want to actually focus on the game, rather than learn about engine development, you might want to start with the choice of engine (e.g. Godot or Unity) and learn a language they recommend for integration (e.g. C#) rather than the language the engine itself is written in, as the code you write won't necessarily be as resource-intensive as the engine code itself. Though you certainly could start by picking e.g. Rust and then looking at popular engine/framework options there (e.g. Bevy or Macroquad). It might also vary a lot based on the type of game you're interested in.
> This is a good example of what slips through LLM attention. It forces all allocations to be calloc as if it is a strict upgrade.
I wouldn't assume Claude made that decision; it's not as if that was some incidental thing that it snuck into a large commit. The commit message starts with "zero all new memory from allocations", and that's exactly what the commit does. What do you imagine the prompt was?
It seems totally plausible to me that a human initially thought this was an improvement, then rethought after discovering the RSS regression. And it's not a law of nature anyway that this change has to increase RSS; calloc could special-case the case in which memory was freshly returned from the OS, knowing fresh memory mappings are zeroed anyway.
I blame AI for these regressions mostly in the sense that it caused a flurry of vulnerability reports. Those led to a flurry of quick fixes. Sometimes quick fixes cause other problems.
You don't really have to guess. The guy told us the AI didn't suggest this specific change:
> The change to zero memory was my idea and my change. It was a reaction to a security report I got which caused use of an element past the end of an array. By zeroing the allocation I could ensure that misuse of that memory if a similar bug came up in the future could only cause a null ptr deref, which is better than the chance of a valid pointer.
It got a claude co-authored tag on it as I got it to do some tidy ups of a series of commits, and that is just what it does when it makes any modification. It doesn't mean the change was written by claude. It was written by me.
How does that prevent reading past the end of the buffer? Or change how bytes outside the buffer are used? Are these arrays of pointers so that the “null ptr deref” comment makes sense?
Or am I the bozo and don’t know what’s happening here?
It doesn’t. It’s just that dereferencing a zeroed pointer reliably crashes the program (unless you specifically do funky things with mmap) but dereferencing garbage memory as a pointer could do a lot more insidious damage.
Haven't looked at the code, but the allocated memory could be larger than necessary to make "off-by-one" or "off-by-a-few" errors less deadly. Then zeroing it out makes it even less so. Defense in depth.
Or it's an allocation for an arena? The zeroing might help trigger 0 derefs earlier if the overrun happens for the object that are then allocated in the arena (and not by allocating more objects than the arena can provide)
The code is part of a function called expand item list. It looks like it over allocates memory and uses a bump pointer for internal allocation, only expanding the allocation when necessary. Thus OOB writes to the list would hit the allocated memory.
You’re not a bozo but it is helpful to read the code.
okay I had not read this or any discussions there (except the one linked in the post), but this looks weirder. the comment you linked is a dev responding to what is very clearly a bot comment. I am sure they have good intentions and I have no reason to believe otherwise as I have no connection to the project whatsoever, but the original commit being 4-5 lines long (what did claude do then?) and the revert description is almost certainly written by an LLM makes in my mind the slop argument stronger.
I hope if this doesn't come across as unkind towards the dev who gives their time and energy to the project. Grateful for that.
> the original commit being 4-5 lines long (what did claude do then?)
I've said "rebase onto <newbase>" and let it handle all the merge conflicts. I wouldn't expect this particular commit to conflict with anything, but it could have been part of a big series where it'd be worth doing that instead of running the rebase command yourself. It wouldn't surprise me if I picked up some Co-Authored-By:s along the way.
I often hit problems with 1Password's autofill on particular websites, but by and large I blame the website. Few examples:
* one website expects me to type the PIN then a Symantec VIP OTP token into a single field called "password". That's a (possibly deliberately) password manager-hostile design. I finally got annoyed with it enough to use an open source project called `python-vipaccess` to create a proper `otpauth://totp/...` URL I could add into 1Password and wrote a TamperMonkey script that added separate autofillable fields that would get concatenated automatically. Now 1Password works fine.
* frequently websites will complain about needing a valid credit card number after autofill. I have to go to the field, delete the last digit, add it back, tab away, then it works. I think they have just used the wrong event handlers and never tested it with autofill.
* they often will skip `autocomplete="new-password"` attributes, so my password manager will look for a (nonexistent) current password rather than prompting me for a new one, and/or they won't have the username and new password fields ever in the DOM at the same time so the password manager doesn't save it properly. (Even if it makes sense in terms of user-visible flow to do these in sequence, they can still leave the username in as a hidden form element for the benefit of the password manager.)
I've also hit UX problems in 1Password itself, for example the "quick access" pop-up doesn't reliably appear on the current Space in macOS. (Confusing and annoying to have to switch to another to see it.) But they seem less common.
reply