Let’s Boycott Passwords

What would happen if you forgot all your passwords except one?

Try this: next time a website asks for a password during registration, type in a series of random characters and then forget them immediately. Don’t copy them to your clipboard. Don’t put them in your password manager. Just forget them. Almost every single website and app won’t know that you just forgot your password and will log you in anyway.

In fact for most websites, the only time you even need to know your password is when you log in for the first time on a new device. So what do you do in that case? That’s what the “Forgot your password?” link is for. You’re not even lying, you did forget your password, on purpose. Clicking this link sends you an email with a temporary URL that lets you reset your password; enter a new random string for this password, and remember it only long enough to log in on the new device.

Using this strategy, there is only one password you actually need to remember: your email password.

It sounds scary, but this method actually works. I’ve done it many times when I was too lazy to open 1Password, generate a new password, and paste it into the service I was signing up for. But starting today, I’m going to do this every time I sign up for a new service. And guess what? This is no less secure than using passwords, because you can still reset your passwords by email now, even if you didn’t actually forget them.

Yes, this does make it more clear how important it is ensure that your email is secure, as recent stories like this underscore, but that’s probably a good thing.

Of course, this is all just a temporary measure until all the websites out there realize that they shouldn’t be using passwords. If you are building a website though, and want to be smart, there is a better way:

1. Don’t ask new users for a password anymore.
2. Do make sure you get a secure contact method like an email address or mobile phone number.
3. When a user first registers for your site, provide the client app or browser an access token they can save to allow access to your site. You probably already do this using OAuth.
4. When a user tries to log in on a new client or device, ask them to provide only their username, email or mobile number.
5. Send the user an email or text message containing a temporary link with credentials that will provide an access token that can be stored by the client app. The user will be logged in when they click this link.
6. Optional: If you really want to allow users to opt-in to having a password, you can provide a “Got a password?” link instead of the typical “Forgot your password?” link.

Further reading

Other smart people have suggested we use Passwordless Authentication. Here are some additional resources worth reading:

• Is it time for password-less login?
• More on password-less login
• NoPassword
• Passwordless Products