I get that we Lobsters are in the minority on this, since we tend to have password managers, but I loathe when a site/app makes this the only login option.
My pw manager integration and TOTP is fast; waiting for an email is not.
Yeah. And it’s a huge pain on the (admittedly rare) occasions when I want to log in to the site on some computer that isn’t mine: now I have to log in to my webmail too, and make sure to remember to log out of it once I’ve grabbed the magic link.
And trust that you aren’t being key-sniffed the whole time. There aren’t many other people’s computers that I would trust to login to the email account linked to password recovery options… MFA should be a backstop, but I don’t trust services to implement it properly and not provide some back channel to bypass it if you otherwise have compromised the linked email.
I feel there’s been an uptick in this sort of login behaviour in the past few years. There are several websites I have to use that now require SMS 2FA or (worse) email 2FA every time, with no “remember this device” option. Really annoying.
My other pet peeve is when registration form don’t say what the password character limit so I have to binary search it down from the very long passwords I usually generate.
Perhaps I’m stupid but to me this looks like a fairly secure option, if you don’t mind the extra steps required to login.
At least their account is not protected by a weak password, or a reused one.
It’s basically fine in my opinion. I don’t like that it couples the security of one system to another so tightly, but any site that allows password resets via email in the same way is comparable in security to this, with the exception that if some malicious prankster with access to your email resets your password you’re likelier to notice than if they can just login and delete the magic link. That matters, but not tremendously.
I kind of doubt that someone who uses this process is setting strong passwords, though.
Come to think of it, I’m curious how they are coming up with the passwords. If they have one password they reuse everywhere, and they’re just typing it in off the top of their head, why not just log in the straightforward way with that password? (I guess this question is kind of the crux of the OP.) If they are coming up with new passwords each time, where are those coming from? Banging on random keys isn’t likely because most sites force you to enter the same value twice. Using a computer to generate a password seems right out for this type of user. Maybe they have a “password base” they use everywhere, and when asked for a password they use goredsox2024 or whatever the current year is.
You’re assuming these users have bad passwords, which is fair, but IMO your email account is the most important piece of your security chain, given that every online account out there is tied to it.
The method presented here is very close to using a password manager, just with a few extra steps.
Your email account is the manager, and when you need to login, you “open” the password manager to get the pass and login. The only difference is that you’re getting new passwords each time instead of retrieving the one you initially set.
I take your point, but one of the benefits that a password manager usually brings is that the user ends up with really strong passwords. (If your password manager will come up with GB*6MXmTiwwejGWceyYn9!s!pX*jYHkGGUnB3Atp9-@GL4bbRand remember it and even type it in for you, then why not?) But if users are approaching the “reset your password” form with the attitude of, “I just need to type the same crap twice here and then never think about it again,” then I think it’s a bad idea to assume that they’re getting anywhere near the security level of typical 1Password/Lastpass/etc. usage.
Now it makes sense to me. I guess this is where the “magic link” login method comes from? By “magic link” I mean, sites (like Slack) where you don’t even have to set a password, but just login via a single use link to your email?
I actually do this all the time because, even with a password manager, they’re imperfect. Things have improved a lot but especially if I’m doing a mobile login or something, or if it’s a shared account with family, etc, I can’t rely on my password manager.
We actually did this explicitly for our AWS root user at my company. It had to use an email recovery, because we deemed it the most secure option - the password was set to a 64bit random value, or something along those lines, and never written down.
Email is super easy and reducing my auth to “is my gmail authed” is awesome because gmail is arguably one of the safest, most easily-secured systems I interact with daily. I have APP and (at work, at the time) CAA.
A password manager is genuinely more convenient but tbh only by a bit. For many situations, like mobile, getting a password reset email is kinda easier.
I get that we Lobsters are in the minority on this, since we tend to have password managers, but I loathe when a site/app makes this the only login option.
My pw manager integration and TOTP is fast; waiting for an email is not.
Yeah. And it’s a huge pain on the (admittedly rare) occasions when I want to log in to the site on some computer that isn’t mine: now I have to log in to my webmail too, and make sure to remember to log out of it once I’ve grabbed the magic link.
And trust that you aren’t being key-sniffed the whole time. There aren’t many other people’s computers that I would trust to login to the email account linked to password recovery options… MFA should be a backstop, but I don’t trust services to implement it properly and not provide some back channel to bypass it if you otherwise have compromised the linked email.
I feel there’s been an uptick in this sort of login behaviour in the past few years. There are several websites I have to use that now require SMS 2FA or (worse) email 2FA every time, with no “remember this device” option. Really annoying.
My other pet peeve is when registration form don’t say what the password character limit so I have to binary search it down from the very long passwords I usually generate.
Perhaps I’m stupid but to me this looks like a fairly secure option, if you don’t mind the extra steps required to login. At least their account is not protected by a weak password, or a reused one.
It’s basically fine in my opinion. I don’t like that it couples the security of one system to another so tightly, but any site that allows password resets via email in the same way is comparable in security to this, with the exception that if some malicious prankster with access to your email resets your password you’re likelier to notice than if they can just login and delete the magic link. That matters, but not tremendously.
I kind of doubt that someone who uses this process is setting strong passwords, though.
Come to think of it, I’m curious how they are coming up with the passwords. If they have one password they reuse everywhere, and they’re just typing it in off the top of their head, why not just log in the straightforward way with that password? (I guess this question is kind of the crux of the OP.) If they are coming up with new passwords each time, where are those coming from? Banging on random keys isn’t likely because most sites force you to enter the same value twice. Using a computer to generate a password seems right out for this type of user. Maybe they have a “password base” they use everywhere, and when asked for a password they use
goredsox2024or whatever the current year is.You’re assuming these users have bad passwords, which is fair, but IMO your email account is the most important piece of your security chain, given that every online account out there is tied to it.
The method presented here is very close to using a password manager, just with a few extra steps. Your email account is the manager, and when you need to login, you “open” the password manager to get the pass and login. The only difference is that you’re getting new passwords each time instead of retrieving the one you initially set.
I take your point, but one of the benefits that a password manager usually brings is that the user ends up with really strong passwords. (If your password manager will come up with
GB*6MXmTiwwejGWceyYn9!s!pX*jYHkGGUnB3Atp9-@GL4bbRand remember it and even type it in for you, then why not?) But if users are approaching the “reset your password” form with the attitude of, “I just need to type the same crap twice here and then never think about it again,” then I think it’s a bad idea to assume that they’re getting anywhere near the security level of typical 1Password/Lastpass/etc. usage.Now it makes sense to me. I guess this is where the “magic link” login method comes from? By “magic link” I mean, sites (like Slack) where you don’t even have to set a password, but just login via a single use link to your email?
A few times people have tried to make this kind of workflow avoid having a password at all:
The problem is that you need a million logins for a million websites or apps.
Single SignOn is also bad, but it has its advantages, if you just know that one password…
I actually do this all the time because, even with a password manager, they’re imperfect. Things have improved a lot but especially if I’m doing a mobile login or something, or if it’s a shared account with family, etc, I can’t rely on my password manager.
We actually did this explicitly for our AWS root user at my company. It had to use an email recovery, because we deemed it the most secure option - the password was set to a 64bit random value, or something along those lines, and never written down.
Email is super easy and reducing my auth to “is my gmail authed” is awesome because gmail is arguably one of the safest, most easily-secured systems I interact with daily. I have APP and (at work, at the time) CAA.
A password manager is genuinely more convenient but tbh only by a bit. For many situations, like mobile, getting a password reset email is kinda easier.
What are APP and CAA? (Searching for “Gmail APP” seems unpromising. :-) )
Advanced Protection Program and Context Aware Access.