Passwords Considered Harmful

Passwords, plainly, are not only bad at their intended purpose, but nearly everyone is incapable of using them correctly. That includes both developers, and users. Meanwhile they’re a constant security risk, not only because individual passwords can be broken, stolen, guessed, or given away. But also because, if you have no other data than email and password pairs you do have something worth stealing. Painting an even larger target on your back. It’s time to stop using password for authentication. Passwords should be considered harmful, and you should avoid them whenever possible!

First, consider what problem passwords solve. User authentication. No, really, that’s it! That’s the only thing they’re good for^{1 2}. Passwords are shared secret between the server and the client. I have to start with this because I’ve had to dispel the notion that they have something to do with authorization. But that’s different problem entirely. A user account may be authorized to do many things, but each only has a single password.

Security professionals have known passwords are bad for a long time. If you don’t believe me, watch me predict the future. When you’re ready, ask your nearest information security person what’s the gold standard for account security, then come back. (I promise not to change the text while you’re gone) They said Two Factor Authentication³. Now, I know what you’re thinking, and no, it’s not magic. It’s that passwords are so broken that a password and literally anything else is current best practices.

Passwords make the user experience suck too. Think back, whens the last time you were trying to use a site, perhaps an online shopping site. You’ve added everything you want to the cart, ready to check out, when you forgot your password? If you can actually remember a time, I’m sorry. Not just for you, but for the site as well – frustration is the memory you have of using their software. How many friends are you gonna refer to them now? Is it less than it could be?

Say what you will about Facebook’s privacy/security. They’ve built a good UX. They’ve even gone so far as to try to “fix”⁴ passwords. If the password you enter isn’t correct, Facebook will jitter your password a bit, trying different letters, or capitalization trying to “guess” your password for you. As much as learning that hurt me as a security geek, It’s a good idea.

That brings us back to the start. How many accounts to you have easy access to that you don’t know the password to off the top of your head? Even if you don’t have a password manager, I’m willing to bet the number is >= 1. So for that account, requiring a password isn’t authenticating you, it’s authenticating what ever thing is actually storing that password⁵. Which means passwords aren’t even doing the single thing they’re supposed to be doing: Authenticating users. They’re authenticating devices, and there’s already plenty of better ways to go about that. It time to stop using passwords.

I’ve already put my money where my mouth is⁶. MechMark⁷ is a webapp I wrote in a weekend to track who has mechnical keyboard parts they can sell to fellow makers/builders. It doesn’t use passwords at all, instead it’ll log you in via token sent to your email. (If you’re first instinct is to complain that’s not secure, be honest, you were going to let anyone with access to the users email reset the password anyways.) The source is on GitHub if you want to take a look.