RT Cunningham


Passwords and Password Resets - It’s Time to Get Rid of Passwords

passwords It seems we hear about database breaches way too often. In some cases, the only things compromised are the passwords. We need to get rid of passwords.

What if I told you passwords have been unnecessary for years? There’s a much easier way to authenticate, which only drops the convenience level a little.

User Names and Passwords

While I’m focusing on regular websites, the concepts are still viable for online applications.

When is a user name and password combination considered secure? When the password is so complex you can’t hope to remember it. You need a password manager to manage all your passwords.

Would you believe the best way to authenticate is without passwords? I’m not talking about multi-factor authentication either.

It revolves around web browser cookies and one of the oldest web protocols, e-mail.

E-mail and Cookies for Authentication

I’m not an expert. Feel free to argue with me. I’ve tested this and I know it works. What’s interesting is that the e-mail doesn’t have to be secure (it should be) as long as the website is secure (using SSL/HTTPS).

A secure website can create secure cookies, cookies that can’t be used if intercepted. The procedure would go something like this:

  1. The user enters an e-mail address and only that at a website to start the login process.
  2. The website sets a secure cookie in the user’s web browser and stores a matching token at the server. The website then sends an e-mail message with a random link (sometimes called a “magic link”). The link expires shortly thereafter.
  3. The user receives the e-mail message, clicks the link and heads to the login page at the website.
  4. The website checks to make sure the secure cookie matches the stored token. It checks to make sure the link is valid and hasn’t expired.
  5. The website logs the user in, starts the session and puts the user on the right page.

This secure cookie should start the session, letting a secure session cookie take over once the website logs the user in.

A Matter of Convenience

The most convenient way of logging in is to enter a user name and an easy to remember password. It’s also the least secure. Are you willing to trade security for convenience?

E-mail clients are available for just about every computing platform we use, from cell phones to desktop computers. Web browsers are available for just about every computing platform we use as well. If an e-mail client isn’t available, using web mail is a good alternative.

There are other ways to authenticate without passwords. I don’t think any of them are any better than this. You don’t have to buy extra hardware or software to do it this way.

If a password isn’t used for anything but your e-mail account, you only have to remember that password, not dozens, hundreds or thousands for all the websites you have to log into to use.

Update July 2, 2018

I have three bank accounts. Two in the Philippines and one in the United States. One of the banks in the Philippines sends a code to my phone after I log in, but only if I’m using my laptop. It doesn’t do it if I’m using the app on the phone. The bank in the United States gives me a choice of a code to my phone or one to my e-mail.

It seems like the banks are doing two-factor logins that include a user name and password combination. Again, I don’t think that step is necessary. I guess it doesn’t matter since we’ll all be forced to use biometrics someday.

Share: Facebook | Twitter

By RT Cunningham
July 17, 2017
Web Development