Medium Kill The Password: String Of Characters Are Neither Secure Nor Simple

Medium, a blog-publishing platform rolled out a all new login process. Until know you could only sign in to the Medium using Twitter or Facebook but now you can sign in by your email.

Now if you click on the sign-in/sign-up button you’ll see now there are three ways to Sign or to create an account. You can either proceede your twitter account or through facebook or by directly using your email without using any password. Yup, you read right, no passwords. The process is simple you just have to enter your email address or phone number and just like password reset or account verification links, a temporary sign in link lands in your inbox or phone.

“Authentication is serious business. We wanted to make our sign in process as secure and simple to use as possible, across all platforms. Passwords are neither secure nor simple. They’re hard to remember or easy to guess, everyone re-uses them (even though they know they shouldn’t), and they’re a pain to type on mobile. They don’t even keep you that safe.”

– writes Medium’s Jamie Talbot
                               See also: Tips for staying safe and secure on the web

With this email-only system:

  • You’re automatically notified when someone tries to sign in.
  • The sign in link expires after a short amount of time.
  • The sign in link can only be used once.

Medium isn’t alone which is adapting this old school email-only system. Passwordless, a middleware for Express and Node.js that uses the token-based authentication system: Instead of entering password, the keys to open your accound land in your email address or mobile number.

According to Passwordless team “The classic [username and password] mechanism has by default at least two attack vectors: the login page and the password recovery page. Especially the latter is often implemented hurriedly and hence [is] inherently more risky.”

So nixing the password could condense the risk. In simple words, if there is no password no one can steal it or guess it. This doesn’t mean that this new password-free systems are hackproof, but taking everything into account your only vulnerability then is your email. This approach appears to be an simple, cost-effective way to remove at least some of the potential vulnerabilities.

Images courtesy of Nikcname and Medium


Please enter your comment!
Please enter your name here