Rethinking passwords
The more frequent a behavior, the harder it is to be aware of its existence. Looking up, I count 260 unique passwords saved on my password manager. Many of these are insufficient by themselves and require a second method of authentication to validate my credentials. If passwords alone are not enough, why have them at all? If achieving sufficient security still demands a code from an app, an email, or a phone, why not rely solely on the strongest method?
Passwords are the vestigial tailbone—a remnant of simpler times when we only needed one six-character password for everything on the internet. That is no longer possible. To cope, we’ve added more characters, enforced special characters, and banned sequential patterns. Yet, the problem persists. Social logins were introduced as an alternative, but people are still sensible about sharing login information with the main login providers, the typical privacy issues bad guys.
My proposal is simple: get rid of passwords and authenticate via temporary codes, preferably email or authentication apps. Skip the password step - don’t have it, don’t ask it. Having a password doesn’t add any meaningful security to accounts and is a terrible user experience.
For 2025.