Password managers have done wonders for users by creating a single password to secure all of their passwords, preventing a data breach from unlocking every one of their accounts.
The original problem
People re-use passwords, and the passwords they reuse are generally awful. According to Sophos, 55% of users re-use passwords!
The solution to the original problem
With something like 1Password or LastPass, a master password is created and the user simply has to remember one password (get it?) to access all of their passwords. And then, the password manager can generate random passwords for you, so you don't have to think about it.
Simple, right?
The problem with password managers as they stand
They're still too difficult. Think about how it works right now:
- The user has to know about password managers and how to use them.
- The user has to buy a password manager and install it on all of their devices
After they have it installed, and want to sign up for a site, the user must,
- Click Register
- Fill in the personal information not filled in by AutoFill, pretty hit or miss
- Remember to not just fill in their usual password
- Remember to click on the password manager
- Enter their password / authenticate (biometric)
- Fill out the rest of the web form
- Answer the confusing "save your password?" dialog boxes from both the browser and the password manager
Why is this so complicated? Why don't we have a workflow like this?:
- Click Register/Login
- Authenticate with fingerprint or password
- Check the boxes with what they wish to share with the site
Congrats, you never have to login again. Oh, and a little bit of work with Authy and it could automatically setup 2FA as well.
This is so do-able. A push from Google through Chrome or the like would most likely get websites up-to-speed on this. Also, then we don't have to worry about clickjacking the password box or other weird stuff like that. Also, users will be more tempted to use their password manager because it's just so much easier.
Mockup
What tech blog post would be complete without a mockup?
I hope we can get to something like this soon. Until password managers are easier to use than typical passwords, password and hunter2 will still be extremely common and reused.
Top comments (5)
The first time setup sure is a pain because you need to add every single site to it, but after that it's pretty smooth.
Think: How often does one register on a service vs How often does one login?
I think the only reason people don't use password managers is the initial setup. But once you manage to convince someone to do it, they never want to go back.
You're stretching the difficulty by adding things like "has to buy a password manager" to make it seem like a bigger hurdle.
But most users don't care about a password manager, much less paying for one.
You are describing OAuth and the likes.
Well that shows it's a pretty good observation ;)
How nice would it be if you could just use identity providers for the majority of sites (eg. register / login with twitter or facebook).
My mayor annoyance is sites asking for your data in return for access via the provider, eg. access to your list of contacts.
Just like some people don't mind paying for a password manager, I wouldn't mind paying for an identity provider that has no data to sell.