Menu

RTCXpression

Close

Passwords and Password Resets – It’s Time to Get Rid of Passwords

- July 17, 2017

passwords
It seems we hear about database breaches way too often. In some cases, the only things compromised are the passwords. We need to get rid of passwords.

What if I told you passwords have been unnecessary for years? There’s a much easier way to authenticate, which only drops the convenience level a little.

User Names and Passwords

While I’m focusing on regular websites, the concepts are still viable for online applications.

When is a user name and password combination considered secure? When the password is so complex you can’t hope to remember it. You need a password manager to manage all your passwords.

Would you believe the best way to authenticate is without passwords? I’m not talking about multi-factor authentication either.

It revolves around web browser cookies and one of the oldest web protocols, e-mail.

E-mail and Cookies for Authentication

I’m not an expert. Feel free to argue with me. I’ve tested this and I know it works. What’s interesting is that the e-mail doesn’t have to be secure as long as the website is secure (using SSL/HTTPS).

A secure website can create secure cookies, cookies that can’t be used if intercepted. The procedure would go something like this:

  1. The user enters an e-mail address at a website to log in.
     
  2. The website sets a secure cookie in the user’s web browser and stores a matching token at the server. The website then sends an e-mail message with a random link. The link expires in an hour.
     
  3. The user receives the e-mail message, clicks the link and heads to the log in page at the website.
     
  4. The website checks to make sure the secure cookie matches the stored token. It checks to make sure the link is valid and hasn’t expired.
     
  5. The website logs the user in, starts the session and puts the user on the right page.

To make this as convenient as possible, the cookie has to have a long life. It should last for at least a day and should only be destroyed sooner if the user intentionally logs out. Don’t confuse this cookie with a session cookie.

This cookie should start the session, letting the secure session cookie take over once the website logs the user in.

A Matter of Convenience

The most convenient way of logging in is to enter a user name and an easy to remember password. It’s also the least secure. Are you willing to trade security for convenience?

E-mail clients are available for just about every computing platform we use, from cell phones to desktop computers. Web browsers are available for just every computing platform we use as well. If an e-mail client isn’t available, using web mail is a good alternative.

There are other ways to authenticate without passwords. I don’t think any of them are any better than this. You don’t have to buy extra hardware or software to do it this way.

If a password isn’t used for anything but your e-mail account, you only have to remember that password, not dozens, hundreds or thousands for all the websites you have to log into to use.

I have choices to make with the CMS project I’m working on (off and on). If I make it for offline use only, uploading completed pages, authentication isn’t really necessary. If I make it work online as well, authentication is definitely necessary. The e-mail method is the only method I’ll use if I set up authentication.

Share this:

Categories: Technology

Tags: , , , ,

Previous and Next Articles (if any):

« »

More

You've made it this far down the page. Please read some of my more important pages if you have the time:

Comments Policy           Privacy Policy

RTCXpression established Feb 28, 2011
Copyright © 2013-2017 RT Cunningham
Hosted at Digital Ocean