1

I don't have passwords for my personal sites. To sign up a user pick their username and enter their email. There is a logout button if the user wishes to log out. To log in you enter your email and click the link that is sent to your email address.

Why are we using passwords at all especially if we register a users email?

Shurmajee
  • 7,335
  • 5
  • 28
  • 59
  • 8
    Why not to use OpenID, which removes the trouble of finding the email for a specific site in thousands of emails? – user23013 Jul 15 '15 at 06:35
  • @user23013: Than I need to integrate an openid library. I remember one major lib didn't work because it made assumptions that wasn't true of my site. It's probably fixed now or documented how to get around it –  Jul 16 '15 at 04:15

5 Answers5

13

At some point the user needs to be authenticated. The approach that you are detailing will shift this process to the authentication of the email account. Technically it could shift it elsewhere too, but at some point there will need to be a form of authentication.

The problem with delegating the process to a third party is that you place too much trust in (a) their security mechanisms, and (b) the non-secure transport channel for the email. Each of these creates threats that otherwise wouldn't exist in that (a) a poorly protected email host may allow an adversary to access your authentication emails, exposing the fact that your website utilises this mechanism, which means that they simply need to submit a new request, and (b) interception of the authentication email results in the same outcome.

The use of a password introduces a secret that is shared by only the authenticator (your site), and the user wishing to be authenticated. It exists in electronic form for a very short period of time, and within a security environment for which you define the level of protection relative to the threat model.

Arran Schlosberg
  • 914
  • 1
  • 7
  • 14
  • 3
    Surely it's not worse than email-based password resets? – user253751 Jul 15 '15 at 07:11
  • 1
    @immibis Password resets *are* a significant security hole. But at the very least, they require you to actually go to the site in question and request a reset. If you simply have all login-links in your e-mail, the moment someone gains access, he has access to all the sites you're using. Not to mention that many password reset links require you to supply some extra information (like security questions - though I do despise of the practice :D). – Luaan Jul 15 '15 at 07:14
  • 1
    Absolutely @immibis. As soon as I submitted the answer that crossed my mind. Luaan raises a good point in that one needs to know the website in question, but really this is just security by obscurity. I think it amounts to control over your security environment, and a reset link provides that to some degree in that you can require complementary information or even a second factor. – Arran Schlosberg Jul 15 '15 at 07:20
5

Because that's only a single factor. Sure, it can certainly work, but it also has weaknesses.

First, if someone acquires access to the user's email, then they have automatic access to the site. This is not seen as a big deal for some people (if my email is compromised, then everything else isn't as important), but it is still an inherent weakness.

Second, there is a User Experience impact. Instead of staying on your site to log in, the user bounces back and forth from their email. This isn't a security issue, but it does speak to the reason why your method is not more commonly implemented.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • Its strange logging in with FB is common and that isn't. I use a separate browser just for fb bc I don't want all this spam and tracking –  Jul 15 '15 at 04:12
  • 3
    Consider this other factor: emails are sent in the clear. Anyone who has access to the email chain can log in. Even with the FB auth API, the lookups are encrypted and protected. – schroeder Jul 15 '15 at 04:16
  • 1
    @schroeder How commonly are emails sent over the Internet without TLS in 2015? – user253751 Jul 15 '15 at 07:23
  • @immibis Even if TLS is used for emails it's very rarely protected against MitM/downgrade attacks. – CodesInChaos Jul 15 '15 at 07:51
  • 1
    @immibis For web mail, not common, but for on-prem enterprise email systems, it's very common. – schroeder Jul 15 '15 at 14:41
2

So you just made the password a link. What's the difference? In the end, it's just like randomly generating the password for a user (which has been used quite a bit in the past - and most of the time, it meant that you simply kept the registration e-mail in your mailbox).

Clicking on a link isn't a free action - the user is passing some information from his e-mail interface to you. Sure, most of the time nowadays this only means a referral, but that's still a piece of information.

The main problem I see, however, is that you expect the user to click a link in an e-mail you send to him. Most people don't read the links - they just click them. So someone can easily send an e-mail to everyone registered on your site (the recipient has no way of knowing it's really you), and send them to whatever site they want - because you've taught your users that clicking on links in your e-mails is just fine and to be expected. And then you give them the option of YourAwesomeSite Toolbar! and they install it, because they trust you. Or you use a security bug in Flash or Java, whatever.

Remember, people are always the weakest link. They know they're supposed to treat their passwords as a secret. They don't know that anyone can send an e-mail that pretends it comes from you.

Oh, and from user experience point of view, this is just silly. I don't want to login to my e-mail and search for one specific message just to login to your site - that's a great way to simply stop using your site. You may think that it's fine to just keep the user logged in, but that's something I only do with very few sites - I tend to avoid persistent sessions (and saving passwords). And as for your Facebook example, indeed, I only open it in a separate browser and in an anonymous session - the same as with any other annoying tracking site. Consider if you had to login to Facebook by clicking an e-mail link - do you see the problem with that now?

Luaan
  • 217
  • 2
  • 7
0

I think mostly because a password is a secret infomation and an link isn't, the user (and the tool used by the user) can easily identify it at an information they are supossed to protect and not share with everyone.

in theory your method isn't worst (in practice it have some flaws) but using anything other than the standard isn't user friendly.

We start using your method (facebook, google, etc...) but the reason for this isn't security but data-collecting for provider, simplicity for programmer (which can provide more security)

Another thing : a password authentificate the user, an email authentification the email provider, for most usage it is ok (you trust your email provider with a lot of sensitive information) but if you want to assure than only the user can access the information it is clearly a flaw (this one is mostly theoric cause the user will always need to trust the tool he use : hardware, software).

grandchamp robin
  • 161
  • 6
0

As a mobile user it would be a pain for me if I had to switch out of my browser app and open my Gmail app every time I wanted to log in to your site. In IS there always has to be a balance of security and usability - you can have the most secure system in the world, but it means nothing if nobody uses it. A password does not take me out of the browsing experience in the way that having to open an email would.

Roy
  • 101
  • 1