DEV Community

Cover image for For developers: you must not require needs passwords from users

For developers: you must not require needs passwords from users

Alex P on May 03, 2024

Firstly let's glance at what we have today Today many websites require a password They require "a good" password: minimum N letters at least o...
Collapse
 
adaptive-shield-matrix profile image
Adaptive Shield Matrix • Edited

In defense of passwords

I disagree about the password vs magic links.

  • passwords - are great if you have technical users who use a password manager, because they can can login with a single button click after filling out the input fields.
  • magic links - are great for non-technical users, who do not use a password manager since they will just reuse a single password for every website/service. This annoys all technical uses because you now have to login with a 2 step process instead of a single click.
  • the best user experience I have found is using oauth/social logins -> login with a single click without having to type in everything. This works good if your users have an account of the selected provider (and you are willing/required to pay for the integration). Funny questions to ask: do your users have an account at Github?, do you want to your B2B users to login using Facebook?, Google is free, Apple requires a dev license for 100$/y, Microsoft requires 400$/y for a custom domain using some kind of convoluted infra-gateway/credential-setup.

About password implementations -> you are right that they are a little complicated, BUT

  • they are most researched, best documented and understood
  • and articles like this one are good reference of all things you have to know and implement.
  • So you can just code down the checklist with a few hours of work, since all the spec/requirements are clear and defined without any ambiguity (in comparison to business problems)
  • and you can easily test them (manually or automatically).
Collapse
 
devh0us3 profile image
Alex P

I agree with your concerns
And you are free to develop options for technical users – they can find the switcher...
But as the technical user I'll request not passwords or magic links (or oauth) – the most wanted feature for me is WebAuthN now πŸ˜‰

Collapse
 
adaptive-shield-matrix profile image
Adaptive Shield Matrix • Edited

Webauth is not ready yet

Webauth in my current understanding does not really work as an open protocol across multiple vendors -> you have to completely buy-in into a propriety vendor solution like Microsoft, Google or Apple. Usage of a hardware dongle/usb/Yubikey can completely locks you out moment it gets lost. Especially if your are on a vacation in another country with your laptop/phone stolen -> imagine getting locked out of all your accounts and losing access to all of your money and communication methods, how much fun is that?

I think this blog post has a good summary there the author of an open source library and editing author of the standard - suggests that its better to be just using passwords instead.
fy.blackhats.net.au/blog/2024-04-2...

Depending on Apple only for it to completely wipe all your Keychains does not seem like a reliable or secure solution to me.

Or do you mean an different webauth than passkeys and dongles?
That are you thoughts on the article?

Thread Thread
 
devh0us3 profile image
Alex P

heard reasoning from the Security Now podcast, this is the article they discussed.

I think that passkeys give me a little more than one password, because in almost all resources where passkeys are supported, I can add many fallback options (other Passkeys) and store one of them in the password manager;
More than a year of experience in use, including implementation on our website - so far there are no problems with them;

I don't have an apple account to compare
But I agree that in the case without a backup keys it's dangerous situation

Collapse
 
fyodorio profile image
Fyodor

Complex password requirements is the conspiracy of password management software manufacturers against humanity… 🧐

Collapse
 
aminnairi profile image
Amin • Edited

Very interesting take, at first I had no real bias toward this subject, and even I was against using magic links but the more I think about it, the more it makes sense because a user will only log to your application through the internet, since the API will validate its authenticity, so we can asume he as internet connectivity.

If the user has internet connectivity, it is way easier and safer to authenticate the latter using a magic link. The only downside I see is that this adds another layer of reliability since a mail provider that is down means the whole authentication down. But at the same time, mail providers employ so much effort and money to make their service reliable, you have more chance of going down than them.

Plus, it means no more passwords to mess with, and I've always advocated security before performance or cost so it is an added benefit for the user: a friendlier solution toward authentication, and a safer experience.

I've already started to see some application or two use this to allow authentication and I think I'll start advocating for that and use it for my own apps.

Thank you for this very interesting article and take regarding this topic!

Collapse
 
collarslab profile image
Collars Lab.

I really hope that someday we will forget our passwords and never return to them.
neal.fun: stuck on chess board.

Collapse
 
sebastianccc profile image
Sebastian Christopher

You mean like a password manager?? πŸ€”

Collapse
 
collarslab profile image
Collars Lab.

I meant information would be anonymized, the opposite of confidential. Finally, data will be reused rather than duplicated. We'll save quite a bit of storage space. Distant future or in next decade, who knows.

Collapse
 
harshpandey73 profile image
Harsh Pandey

Very interesting article, I honestly did not know all this stuff about passwords

Collapse
 
ccoveille profile image
Christophe Colombier

Great article, but if I may, please fix the typo in your article title except if it's international

Collapse
 
devh0us3 profile image
Alex P

Thanks, I hope now it's better
Or just say me, what is wrong
I'm not good in English

Collapse
 
ccoveille profile image
Christophe Colombier

I would like to recommend you using LanguageTool to check your article.

You can also add an extension to your browser.

languagetool.org

Here is the result for your article, so except the "require", you are pretty good.

Image description

For information, I'm French, LanguageTool helped me to improve my English by showing me the errors I was doing in the context.

I should write an article about it, BTW

Thread Thread
 
devh0us3 profile image
Alex P

Nice, I'll try it too πŸ‘
Actually I use the grammarly.com/

Thread Thread
 
ccoveille profile image
Christophe Colombier

I switched out Grammaly 3 years ago. I like languagetool can be used with a local language tool server, so nothing is sent to the cloud.

Thread Thread
 
ccoveille profile image
Christophe Colombier

I definitely need to write an article about it…

Collapse
 
ccoveille profile image
Christophe Colombier

require needs a u

Collapse
 
adaptive-shield-matrix profile image
Adaptive Shield Matrix

I disagree about the "Magic links must save user agent".
As a developer/technical user I use multiple browsers and multiple email accounts.

Example use case, so then I try to

  • login into a site in browser A
  • I get the email in a separate browser B (automatic email forwarding in to a catch-all account).
  • Not being able to copy and use the link from browser B to A and being denied the login into the website using browser A would be a big hindrance to me.
Collapse
 
devh0us3 profile image
Alex P

Yes, if you accept the risk and agree with the IP matching – why not!
Anyway – you should think about the phishing cases, and prevent them

Collapse
 
adaptive-shield-matrix profile image
Adaptive Shield Matrix

Password Requirements -> a long length is enough. Writing sentences as passwords is the best choice (after using a password manager of course).

Collapse
 
devh0us3 profile image
Alex P

I believe a low amount of users use a password managers and really thinking about their passwords strength πŸ™ƒ

That is why the Princeton Research recommends to add a password strengs meter on UI and then... every user wants to create a good password, but after they will use the Frogot password button... Round πŸ€ͺ