Small change to Medium takes large axe to passwords

One time pad?

Whoever wrote this article has no clue what a 1-time pad is! In such a situation (modern internet access), you need several factors. First is your actual password. Second is a server provided one time use key that you add to your password. This is still not bullet proof, but better than a single use password sent to your email account, or a normal password that can be hacked. I used such an approach in the 1990's to harden major manufacturing systems. The server would send a one-use salt value that the client would use to help encrypt the user's password. No two communications between the client and server would send the same encrypted text for the password. This is still used by major semiconductor, display, and disc drive manufacturing systems today, 20 years after it was developed. Bruce Schneier would probably tell me that it isn't particularly a strong encryption mechanism, but... :-)

Your email address is your password

That's not exactly a one-time pad. In fact, it's probably the least secure password of all, these days.

Since almost all online services allow one to use email for password reset (that includes El Reg, I just tried), how is this less secure than the password reset by email?

Thanks for the write-up. You're correct that, precisely speaking, this is "no more secure" than a password-based system, and you're also right that some of what's been printed has been... hyperbolic to say the least, especially since the idea has been around since at least 2007 (http://www2007.org/posters/poster1001.pdf). As I pointed out in a follow-up post (https://medium.com/inside/why-passwords-suck-d1d1f38c1bb4) - actually a post written a few months ago, albeit only published internally to Medium - "[an email-based forgotten password mechanism] puts an upper bar on how secure a user can ever be. But at least being notified each time a login attempt occurs potentially makes it functionally more secure, if not theoretically.

The majority of users choose horrendous passwords. It seems like a reasonable trade-off to not require them to choose (or reuse) another terrible one, and lean more heavily on services that are already very invested in keeping your data safe. After all, if someone gains access to your email, they can probably do whatever they like on virtually *every* service you use.

As you know, virtually any system can be defeated by a determined enough attacker. Someone could packet sniff emails in transit, modify your domain's MX records, or do any number of other exotic attacks. But someone who can do that would also probably have the ability to throw a botnet at your password too, or crack a less-well-protected site, or get a keylogger onto your machine. Ultimately we're trying to choose an option that keeps as many of our users as safe as possible, by default, without imposing onerous restrictions on them.

All that being said, we'll of course be keeping a close eye on things. All this is done in service of our users. If this isn't effective at keeping them safe, we'll certainly re-evaluate.

(Nice headline, BTW :))

I think we need password anyway, at least these days. Changing passwords again and again actually can not be safer than before, the key is what your password is and where your password is, I mean the creation and storage. Not matter if the password you set is visible or in a mask, I believe that someone will know what your password is. So if the technology has not become so fast that we can authenticate by our biological we still need passwords. There is positive for us to have the safest password and the safest password manager ( http://www.passwordmanagers.net/Top-Password-Manager.html) in some way. I prefer to use Free Password Keeper ( http://www.passwordmanagers.net/Free-Password-Managers.html) to test and get the stronger and longer passwords, to compare with those I created by myself, the rate of being hacked has reduced. So in the Internet world that filled with risky and privacy, password program will give us a safer protection in some way.