Blogging platform Medium thinks it has come up with a really clever idea.
But I’m not so sure.
In a blog post, the site – which has previously allowed users to access Medium via Twitter or Facebook social logins – is introducing a new system that will allow you to log into Medium using your email address, but without requiring a password.
Today, we’re pleased to offer sign in and account creation on Medium using only your email address.
Authentication is serious business. We wanted to make our sign in process as secure and simple to use as possible, across all platforms. Passwords are neither secure nor simple. They’re hard to remember or easy to guess, everyone re-uses them (even though they know they shouldn’t), and they’re a pain to type on mobile. They don’t even keep you that safe.
Let’s look at that bit by bit:
Passwords are neither secure nor simple.
Well, they can be – with a good password manager.
They’re hard to remember or easy to guess
Not true – if you use a good password manager.
everyone re-uses them (even though they know they shouldn’t)
No they don’t. Okay, so a lot of people do unwisely re-use passwords. But a good password manager can prevent that.
they’re a pain to type on mobile
Umm.. no, they don’t have to be. If (yes, you guessed it) you use a good password manager.
So, now I’ve successfully debunked those opinions by Medium, let’s look at how the site says its email-only authentication will work:
When you want to sign in to Medium, we’ll send you an email that contains a special sign in link. Clicking on that link will sign you in. That’s all there is to it. If you’ve ever used a “forgot password” feature, it works a lot like that, except you don’t have to forget a password to use it.
In other words, if your email account is ever hacked – the bad guys now have access to your Medium account too.
And if you ever leave your computer unlocked and unattended, a passer-by could access your Medium blog as well.
I would say that that’s not a terribly sensible move by Medium.
Yes, too many internet users choose poor passwords, or reuse them on multiple sites.
But I think Medium would have done better to promote the use of password managers and some form of two-factor authentication rather than trying to kill off passwords entirely.
If they really wanted to offer higher levels of security they could require additional levels of authentication if they see a blogger sign-in from somewhere unexpected – or from a device that hasn’t been used for the purpose before.
If you’re going to reinvent your login system, why not maximise its security?
Don’t get me wrong – I like that Medium appears to be no longer requiring users to own a Twitter or Facebook account. But I think they’ve gone the wrong way about opening up the service to other internet users. It seems a backwards-step to not also allow those users capable of choosing complex, hard-to-crack, unique passwords to opt for the traditional email/password method.
What they’ve done means that your Medium account is now only as secure as your email inbox. I hope you’re doing a good job of protecting that.
And logging in sounds like a pain in the ass.
What if I'm using a computer and don't want to log in to my email account?
What if I access the link using my mobile? I'd only be able to access it on the device.
A better, but not perfect (for the reasons given by Graham) alternative, would have been to send a one-time code to your email/mobile. Then at least you'd be able to log in the circumstances I have given above. I'm sure there are other scenarios too.
Hi Graham,
Great topic to start a debate on – and an interesting move by Medium. Just wanted to check your logic though.. because surely if 'the bad guys' have hacked your email then they can have access to ALL your services that provide a 'forgot password' service linked to your email identity ? Same applies to the case you describe of leaving your workstation unattended – with a password protected service, they can still chose reset password and follow the flow.
Fully agree that password managers should be promoted but are you sure they've made things any worse by simply instigating a permanent state of 'forgot password' rather than the previous assumption that this only happens sometimes ?
Richard.
Hi Richard
"surely if 'the bad guys' have hacked your email then they can have access to ALL your services that provide a 'forgot password' service linked to your email identity ?"
Yes, *if* the service doesn't ask you to answer some kind of security question to change the password or *if* it doesn't require you to confirm yourself through some form of two-factor authentication that you're authorised to reset your password.
Hopefully services taking security seriously make you jump through some kind of hoops to confirm you are authorised to request a new password, rather than just emailing you a "reset password" link which could instantly allow a bad guy in.
Agreed – so your beef with these folks is in fact more to do with their lack of a 2nd factor than their 'clever idea' of equating access to an email account with knowledge of a password (as effectively these 2 constitute a single factor for services who allow reset by email).
"It seems a backwards-step to not also allow those users capable of choosing complex, hard-to-crack, unique passwords to opt for the traditional email/password method."
I would agree with this statement if there were not a (??simple??) method to effectively login with a secure password.
Simply create a dedicated email account with an email provider such as [email protected], keeping both the email address and its secure password in your password manager.
Simple https://youtu.be/Hl545RF6dXA
Just logged on to Medium for the first time. I must say after looking there is no reason I would care if my account was hacked. It's just rubbish published by ourselves.
Lots of blogs turn into mostly 'rubbish' . But if you are one of the few determined to raise the level of discussion on at least a few threads, you really don't want someone sabotaging your efforts by impersonating you.
"Passwords are neither secure nor simple."
Actually, it seems they are rather simple. Most use basic passwords, after all, and they are often reused. That means they are easy to remember (see below and [1]). Passwords are a weak link to what should be a long chain of security. Consequently, passwords by themselves are indeed weak. But so are other things by themselves. For instance, your logic is very weak (as I get to below).
"They're hard to remember or easy to guess,"
You have that reversed. It is hard to guess and easy to remember. Or at least, without password managers, that would be the way to go about it. Yet your statement above ('nor simple') contradicts this, doesn't it? If they aren't simple then why are they easy to guess?
"everyone re-uses them (even though they know they shouldn’t)"
Everyone is a far stretch of the imagination. But.. it does make one think (and probably not too much of a stretch of the imagination) that YOU do re-use passwords. I wouldn't at all be surprised if that is the case. Given your other points, it seems plausible. But never mind that.
"and they’re a pain to type on mobile."
Maybe so. I can't really judge there because I hate phones (technology is one thing, the actual device is another).
"They don't even keep you that safe."
QUESTION: how do you think your users access email? That is, how do they authenticate? Magic? Or maybe they log in to another email account? Perhaps they log in to Medium (which means another email)? Basically you've taken a password out of the equation. Yet you point out they don't keep you 'that safe'. So wouldn't you want more than one? Yet you instead remove one. Trying to improve security by removing a link in the chain… that boggles my mind. Not sure I am surprised, but it really is hard to imagine. It is certainly a terrible idea unless you would rather weaken security (which unfortunately you are doing).
Brilliant. Also logical, very logical indeed. And 1+1 = 10, right? (Okay, to be fair, it IS 10 in binary.. but many wouldn't understand this…)
[1] Also, while on the subject of simple. If you look at the most abused passwords, you would understand that they are actually far too simple. What with password, password123, qwerty, a sequence of digits (in numerical order), a sequence of letters (in lexicographical order) or the same digit or letter X times. Yes, very complicated indeed…
I just noticed yesterday that Virgin Mobile seem to have disabled paste in the password field. Some websites already seem to disable right-click on this field but you can still use Ctrl-V. But Virgin Mobile seem to have gone the whole way and completely disabled it.
This makes my password manager more inconvenient as I have to type the long and difficult password in letter by letter.
This seems to be a well-meaning change that actually makes things more insecure as it will discourage the use of password managers and difficult passwords. If all websites do it then my password manager effectively becomes useless.
I hate sites which disable copy and paste. Every site I create an account on has a different, strong password thanks to Keepass. the sites which disable copy n paste just make it harder for me to copy n paste from keepass and so tend to be the ones that have weaker passwords. It's a totally stupid "security" measure.
I've worked out a way round it in Keepass. Change the auto-type for the entry so that it is {PASSWORD} only (delete everything else). Then place the cursor in the password field, right-click and select "Perform Auto-Type". This inserts the password one character at a time.
Here is a good alternative way to using password managers that is illustrated well by Mozilla in this video – https://plus.google.com/+SolutionSharkPlus/posts/d5Z9F95BgrP
>>Not true – if you use a good password manager.
You may overestimating the ability of the average user here. Many of our users have no idea what a password manager is, let alone how to use it.
It's been a long time since I logged into Medium. So I can't remember which email account I was using. I usually use the 'forgot password' to figure that out. It's more like, I forgot which email and the only way to know is to use the 'forgot password' function.
So will Medium create a separate account for each of the half dozen emails I must try before I figure out which one is correct? Seems like bloating accounts, then. Well, here goes, I'm going to try a few emails and see what happens…
1. I'll narrate this step by step. First, the email sent from Medium gets forwarded from my email account to my gmail account, because I check all my emails via gmail. But it takes some time for that to happen. More than 15 minutes? Sometimes.
2. Now I've tried the first email. Nope. Wrong. It's just taking me to a 'finish creating your account' page.
3. Second email. Nope. Same.
4. Success. Third email worked. But what a pain in the ass. Medium is more or less, more likely less than medium.
For me Medium is a great site that has killed itself for me using this method of logging in. It's painful.
The problem with this authentication method is not so much security than usability. It usually doesn't work for me, no link gets sent to my email, and in the rare occasions where it does get sent, it just takes forever to log in and by the time the link arrives, I've closed the original post I wanted to comment on.
Agreed, I'm about two magic link disappearances away from quiting the platform!
Hi Graham,
the problem here is, it is not about you and not only about experienced users. 99% do not use password managers. Medium does not have the time nor the people to change that fact, so in order to make their page more secure for ALL of their users, that is the way to go.
I am sure, if there ever will be a time, that most users are using password managers, a lot will change.
But, keep in mind that pushing people to use password managers might also not be the best idea. The average person can not decide whether a service is safe or not. Online password services will try to get as many customers as possible, but they all have one big flaw: No one is able to check every single update of their code. So even the regularly audited ones could create one minor version that sends the user's password back home and fixes that in the next version. Then they have 90% of all master passwords and no one knows. Those master passwords are worth millions.
Still, the Medium login with email drives me nuts and I think the usability should be worth more than the security in this case. I mean 99% of all services are using passwords.