What We Think About Passwords

We rethought the classic authentication pattern.

About a year ago, I wrote an article for Smashing Magazine called The Current State of Authentication: We Have a Password Problem.

In it, I talk about the flaws with the username/password authentication model, and I present some viable alternatives.

Really Simple Store’s dashboard is the culmination of everything I think about the current state of authentication. It’s my ideal authentication model for a SaaS dashboard.

See it in action…


There were a few things I knew going in.

  1. I wanted some form of one-click sign in (for people who will never remember a password)
  2. I also wanted a way to sign in without opening email (for people who remember passwords)
  3. I needed to deemphasize the password, without deemphasizing security

We need an instant, one-click sign in because no one can remember all of their passwords. Some people choose not to. This is for them. This also covers people who sign in less often or whose priorities lie elsewhere and have no need to memorize their store’s password.

The thing is, password-less services that only do one-click sign ins become tedious if you sign in and out a lot. People whose main activities are managing their site and store would find it irritating to switch applications every. single. sign in.


We send a one-click link as soon you get a password wrong. We use the email from the sign in attempt, and when signing in fails, any frustration is met with a concrete solution:

“Your password is wrong, but no big deal, a one-click sign in link is waiting in your email.”

We take advantage where passwords are useful, but ultimately, we deemphasize their importance. First off, we use the term “passphrase.” You can read about passphrases in the article I linked to above, but in short, it’s a more modern version of a password.

We also don’t use password confirmation fields, and we never have password rules (we encourage multi-word phrases, but that’s just a recommendation).

Once someone is one-click signed in, we further deemphasize the password by skipping a password reset prompt. Normally, after clicking a “forget password” link, people are accustomed to a password reset prompt. We think if someone cares, they’ll reset it through their account settings. If not, they can just use a one-click link to sign in again next time.

I’d love to know what anyone thinks about this setup. If you want to try it yourself, spin up a store!

Our mission is help makers make a living, and we’re doing it through products, education, and resources.

If you want to learn more about Really Simple Store, we’re writing a lot here on Medium. If you have any specific questions, email me at drew@reallysimplestore.com, and I’ll write about it.




List products and accept payments on a single page website.

Recommended from Medium

How to start Bug bounty?

Abrupt! Disrupt!

The wild world of certificates

A DRIP Story: A Tale of Two Brothers

What will protect our software-enabled cars?

How to verify that HonestNFT Vigilantes are randomly distributed

Another cyber ‘wake-up call.’ Revolution or just a re-run?

Pushing Cybersecurity Innovation: The Security Advisor Summit

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Drew Thomas

Drew Thomas


More from Medium

Building a professional testing/CI pipeline for Neo-Transposer

Mobile Telematics in Action: First Mile Tracking & Last Mile Tracking

In-Person Events, Reloaded

a black woman and a white woman sitting next to each other in an empty auditorium having a conversation.

Shift Left in Security, Quality and Testing & emerging early growth companies