Category Archives: security

a hack for passwordless login

It would be cool to be able to log in to a web site using just your email, without even a password. It would work just the same way that password recovery does now, except that you wouldn’t ever type in your password.

You go to the web site the first time. They ask you to create an account using an email address. You enter it. They send you a URL to log in for the first time. You go to your email and click on the URL. That page gives you a long-lived cookie, so you don’t have to log in again for as long as possible. A couple years would be fine.

From that point on you go through the password recovery process any time you’re in a position where you would need to log in again. Let’s say you go to the web site from a new computer where you don’t have the cookie. It needs you to log in. In the login form you enter your email address without first going through the “lost your password?” link. You then go to your email to get the link they sent you, and then you click on it.

This is only different from always just recovering your password in that the login dialog is optimized to make the password recovery process shorter. For example, the login dialog might have an extra button added which sent the URL to your email account.

This wouldn’t be any less secure than current processes, since your password security is never stronger than your email account anyway. It would actually be more secure, since you wouldn’t have a guessable or stealable password introducing an additional point of vulnerability.


I am thinking about this because Facebook constantly makes me log in, and I don’t care about it enough to memorize that password.