
NoPassword - BerislavLopac
https://nopassword.alexsmolen.com/
======
mapgrep
This turns your email inbox into a giant password manager, except without the
extensive storage encryption used by real password managers. Thought
experiment: What are the possible unintended consequences of that?

Just a few off the top of my head:

1\. Easier for email hackers to detect sites where you have logins.
(Controlling someone's email usually means controlling most/all logins, but it
takes some digging to get a good list of vaulable logins. With this solution,
most of the list is on the first page or two of the inbox.)

2\. Harder to detect being hacked. (Previously, a hacker with email access
would have to reset your passwords, and you will notice that at least some
passwords have changed. Now the hacker just has to delete any incoming
authentication emails after reading them.)

3\. Losing a job becomes potentially more catastrophic. (Hope you didn't
associate too many passwords with your work email, because IT wiped your
account while security was escorting you out the door. And before you say only
dumb people use work email for personal accounts, consider that part of the
idea of this nopassword system is to help "dumb people" who fail to (for
example) use password managers.)

4\. Your email provider now has a nice easily mined record of what sites you
log into most often. But, hey, I'm sure we can all trust Google not to use
that information in a terribly creepy manner, right?

~~~
k3n
I think a major problem would be one of the most-common use-cases: you're away
from your PC, and want to access their site.

To do this, of course, you'd have to get an email sent to that machine. Then,
you must login to your email on that same machine to get the PW, and thus the
problem: now you have a much greater chance of leaving your email logged in on
the 3rd-party machine. Whether it's a friend's laptop or a public terminal
(library, airport, etc.) this is not a good thing whatsoever; all you needed
to do was to login to a site to post a comment on some silly discussion board,
and now you've left the keys to your kingdom in the open.

Further, if there are actual security issues with that box, say it's actively
being MitM'd, keylogged, etc. well instead of simply gaining access to your
silly forum account, now they will have access to your email.

I think I would flat-out refuse to use any service for these flaws.

~~~
geon
It would be great to be able to authorize a login for another machine. I could
request a login on any machine and have an email/sms sent to my smartphone and
click the link there (alternatively, scan a QR code), and get authorized on
the machine initiating the login.

Email/SMS would be an obvious security hole for people who just click "OK"
without reading, though. I guess a QR code would be secure anyway.

------
eCa
I hope that Mozilla Persona[1] (or similar) will solve this problem soon.

[1] <https://login.persona.org/>

~~~
callahad
We do, too. Please try Persona out and let us know what does and doesn't work
for you. We're trying to solve this thing once, for the whole web.

Also, if you've been waiting for Persona to hit "beta" before trying it out,
well, check back Thursday morning. :)

~~~
gambler
Are there any plans or thoughts in regards to adding some way to implement it
on a website without using JavaScript? You control the browser, so it
shouldn't be difficult to do.

For example, you could define a special URLs for login and logout actions.
(E.g. persona:action=login&onsuccess=encoded_url1&onfailure=encodedurl2 ). I
don't know about others, but it would make me much more willing to give a try.

------
moeffju
We did this on Toptranslation.com as an alternative to the normal password-
based login. The thinking is, since password resets go to your e-mail, anyone
who has control over your mail or mail server can get into your account
anyway. It's a tradeoff between user (mostly enterprise customers')
convenience and security. Since all orders made through the system require
another confirmation, we decided it was worth not having to handle the "I
forgot my password" support tickets. Haven't had any problems with it, I think
it makes sense for low- to medium-security authentications.

~~~
r00fus
There's a difference between a one-time, quickly-expiring password (requiring
reset on use) being sent on email, as opposed to having the password reside
there in perpetuity.

In one case the attacker needs full control during the password reset and in
the other they can simply scour email for all passwords and get out - perhaps
even without controlling the account - ie, transparent proxy + poisoned DNS
would do the 2nd easily.

~~~
tlrobinson
The emails contain single-use links. Each time you login you need a new email.
<http://news.ycombinator.com/item?id=4572031>

------
kennu
Makes me wonder, if emails and SMS messages start to carry more and more
plaintext passwords (and links) providing direct access to everything, how
will their security hold up in the long run? I don't think they are inherently
very secure channels.

~~~
peterwwillis
They're not secure. SMS and e-mail are sent unauthenticated and unencrypted
and can be intercepted in many different ways.

~~~
sneak
> SMS and e-mail are sent unauthenticated and unencrypted and can be
> intercepted in many different ways

My SMS are encrypted with A5, and my email (gmail's inbound smtpd) is
(usually) encrypted with TLS.

Of course, I always check with TLS as well.

It's not quite as bad as you seem to make it out.

~~~
tedunangst
I think people put way too much faith in inbound TLS. My mail server has some
bozo self signed cert and nobody has ever failed to send me an email. Meaning:
either nobody is using TLS to deliver mail or they use TLS and ignore all cert
failures. Either way, about 99% less secure than you think it is.

~~~
mbq
Yeah; internal SMTP to SMTP traffic gives no guarantees at all. The only way
is to use S-MIME or PGP.

------
dkokelley
I think it is interesting that a good portion of HN users are quick to point
out the security issues in a scheme like this, considering the fact that this
is basically the current security model with the intermediate steps removed.
The only thing that makes it different from logging in to my bank is that if I
try a bank password reset I might get asked what my mother's maiden name is.

------
endianswap
I find it amusing that a page discussing passwords/security would throw a
couple of SSL certificate warnings when loading it.

~~~
peterwwillis
On top of that, the SSL server supports compression, session tickets and
insecure ciphers, so that's three possible attacks to try.

What's REALLY weird: my browser is showing a different cert than OpenSSL is.
My browser shows it's signed by PositiveSSL, but when I connect with 'openssl
s_client' I get this:

    
    
      depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-119-98-53, emailAddress = root@ip-10-119-98-53
      verify error:num=18:self signed certificate
      verify return:1
      depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-119-98-53, emailAddress = root@ip-10-119-98-53
      verify error:num=10:certificate has expired
      notAfter=Feb 24 01:08:21 2012 GMT
      verify return:1
      depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ip-10-119-98-53, emailAddress = root@ip-10-119-98-53
      notAfter=Feb 24 01:08:21 2012 GMT
    

Not only is it self-signed, it's expired. I actually don't know what the fuck
is going on here.

~~~
pharrington
The self-signed cert is from alexsmolen.com, not nopassword.alexsmolen.com.

~~~
peterwwillis
Ah, so it's using the servername TLS extension. I forgot that some people use
that now :)

------
laserDinosaur
So I have to log into my email to avoid logging into the site? Isn't that the
exact same thing, yet now I have to include a few extra steps in between?

~~~
jkubicek
Anecdotally, everyone always has their email open anyway (I do, everyone I
work with does, my family aways does), so the extra step of checking your
email is trivial.

~~~
laserDinosaur
Unless you use a different account for junk websites than you do your day to
day email. I have my work email open all day, but not my personal email, which
is also different to my spam email account I use for trials or junk websites.
If I need to have 3-4 different email accounts open just to manage my
sessions, I could see this being a massive pain. Also if I sign up using my
work email to a work related service (so I can use it at work), I might not
have access to it at home.

~~~
spindritf
If you use gmail, you can be logged in to multiple accounts at once.

------
k3n
Another glaring issue: they make the assumption that email === webmail.

While this may be mostly true, the fact is that many still use POP email, and
so what, you're to setup a POP account on whatever machine just so that you
can access a website? Just let me remember my simple PW, thanks.

~~~
debacle
If you're using a POP service that doesn't provide a webmail interface in
2012, something is wrong.

~~~
jrabone
I run my own mail server from colocation. I have so far refused to provide
webmail because I can't find an implementation that isn't a constant stream of
security holes, in exactly the way that Courier / Exim aren't.

Any recommendations? I won't use PHP or MySQL on grounds of taste and decency.

~~~
debacle
> I won't use PHP or MySQL on grounds of taste and decency.

Good for you.

<http://roundcube.net/about>

<http://www.zimbra.com/>

<http://www.squirrelmail.org/>

~~~
k3n
Are you being cheeky? At least 2 of those are PHP-based...

------
jeffreylo
Great work implementing what was discussed here:
[http://notes.xoxco.com/post/27999787765/is-it-time-for-
passw...](http://notes.xoxco.com/post/27999787765/is-it-time-for-password-
less-login)

For previous discussion: <http://news.ycombinator.com/item?id=4308190>

------
bryanlarsen
Great idea. 99% of website accounts I create are only accessed once or twice
to purchase something or to leave a comment or get access to something. I use
KeePassX to generate passwords for most of those, but most people use
passwords that are either repeated, insecure or forgotten.

~~~
m8urn
Although this concept certainly has its flaws, I could see it being useful for
something where it was a site that most people would rarely log in. But for a
store, I'd prefer having my credit card in the hands of something more secure.

~~~
bryanlarsen
Every web store has a "reset password via email" feature, so this is no less
secure. In fact it's more secure, because this way you would receive email
notification every time somebody tried to log in as you.

------
rdwallis
I use a one time password system for magicscroll.net

There's a lot of peace of mind in knowing that my users' passwords won't ever
end up on pastebin but overall I regret the decision.

I get a couple of emails a week from users who don't understand how it works.
If I had to do over I'd choose openID.

------
m8urn
This is an interestimg idea and surely has it's place, but how you implement
it is critical. For example, you would want SSL for the entire site to ensure
the cookie is always protected. You would also need to make sure that the
token and session management is solid.

Of course to really make it secure, you would want all smtp connections
between you and the user to use SSL, which you cannot guarantee. One test I
always use for new authentication schemes is would the NSA be able to
compromise your account if they wanted? In this case I would definitely say
yes.

Still, this would be excellent for sites that only have you login to set
preferences, etc.

------
javery
My bank starting texting me a one-time password which at first I thought was
weird - but now I like it better than actually having to create and save a
password. Seems like a nice natural extension of this for more secure things.

~~~
apawloski
As some will point out, SMS is generally insecure because of the possibility
of snooping vulnerabilities.

An even more secure way to implement one-time passwords is through an HTOP[1]
smartphone app. The crypto is seeded once and then never has to communicate
over the network to generate an OTP. Only the person with physical access to
your phone can generate a password. I know when I was with USAA, they allowed
you to generate one-time passwords using this method.

[1] [http://en.wikipedia.org/wiki/Time-based_One-
time_Password_Al...](http://en.wikipedia.org/wiki/Time-based_One-
time_Password_Algorithm)

~~~
javery
The concern is that in the 2 seconds it takes me to type the password in
someone will intercept it and beat me to it? This is way safer than email.

~~~
apawloski
I don't understand why you downvoted me -- my point is perfectly valid.

"The concern is that in the 2 seconds it takes me to type the password in
someone will intercept it and beat me to it?"

The concern is that someone will snoop the password before it even gets to
your phone. SMS snooping/MiTM has been demonstrated before [1]. Time-Based
One-time Password algorithms are safer because they are not vulnerable to the
aforementioned probems -- they never touch the network.

"This is way safer than email."

I never said it wasn't?

[1] <http://en.wikipedia.org/wiki/IMSI-catcher>

~~~
javery
I didn't down vote you.

------
smickie
This is really great. There's quite a few places where I'd love to sign-in
like this.

The one area where I think it would fall down is logging into web apps that
have multiple points-of-entry. Such as chartbeat(phone app and website). I
don't see how you would be sent a link to log into an iPhone app. Or could you
be sent and email with multiple links: one that goes to the site, another that
flings you into an app?

The best implementation would be if web apps offered this in the preferences
area with a check-box saying: "Enable NoPassword" (so you don't offend any
traditional password lovers or confuse people that just might not understand
it).

------
chmike
For none critical information and just a mean to identify a user account, this
is a good idea.

In such system, The weakest link is the mail system, but this is not worst
than what is done today. Replace mail by an sms code or whatever equivalent.

------
Sami_Lehtinen
Bad solution, email is slow and unsecure. I also have always hated identities
linked to email in anyway. It's wrong way and that's it. Also allowing
password recovery via email is dangerous, because email isn't secure either.
Email is secure if you use GPG, and in that case it would be better to login
by signing nonce with your private key and returning signature to site, which
can verify it against your public key.

------
fishtoaster
This is a neat idea. There are plenty of sites that I only use once or twice a
year, or ever. I'm not sure how widely this will be adopted, though, since
most sites tend to cater to the people that access them frequently.

Also, as a user, you can accomplish this same thing by just using a common
username across all your 1-off sites, along with a gibberish password that you
reset every time you want to log in.

------
muxxa
When I'm on an untrusted computer, e.g. in an internet cafe, I typically try
to avoid logging into webmail. E.g. I'll first put files I want to print into
Dropbox and then log into that instead, (the consequences of an attacker
getting access to my Dropbox are less grave than an attacker accessing my
email account). This extra precaution is not possible with this NoPassword
scheme.

~~~
grinich
_The consequences of an attacker getting access to my Dropbox are less grave
than an attacker accessing my email account._

Can you be specific as to why? If you use Dropbox for personal information,
I'd assume it would be similar.

~~~
bradwestness
Once someone has access to your e-mail, they can reset your password and log
into anything that you used that e-mail to sign up for. With Dropbox, all
they'd have access to is whatever files you happen to have in your Dropbox at
the time.

------
rickmb
I like it. Especially because theoretically it can be mixed with other,
conventional authentication schemes, so it can be made completely optional and
used at will, just like sites currently mix password + several OAuth
providers.

It's pretty much the ideal scheme for all those sites you don't visit
regularly (and many of us, despite knowing better, use the same password
for...).

~~~
asdfaoeu
Definitely a neat idea. Could also just email them a reusable link except that
would leave the credentials in your browser's history unless there is a way to
avoid that.

~~~
jedbrown
_Terrible_ idea. A reusable link is as bad as emailing a plaintext password
and not requiring a reset afterward.

------
leostera
Wouldn't it just make life easier for all of us to use auth via apps? I know
that right now different providers use different layers of shit for their own
purpose but there's gotta be a common ground for all of them that we could
leverage for the sake of getting passwords out of the game for the most part
of it.

------
orenmazor
Interesting. you're basically sort of taking the password part out of two-
factor authentication.

(I know its not _exactly_ that)

------
drunken_thor
I keep asking users about this login process and passphrase instead of
password. Most users seem to feel suspicious of the email login because most
users have already been trained to not entirely trust their email. I don't
think that this could become an accepted authentication method simply because
of that

~~~
tlrobinson
Regardless of whether this will be accepted, users need to be retrained. Any
site that offers a password reset via email _already_ effectively lets you
login via email. Users should be aware of this so they can be more careful
with their email (picking a decent password, ensuring they logout on public
computers, etc).

IMHO everyone should be using two-factor authentication for their email.

------
Coko
Hasn't craigslist been doing this for awhile now? For those worried about the
hassle/security of checking email to sign in to a website, there could just be
two methods of login. One is the proposed NoPassword, other is the traditional
username/password, and leave it up to the user to choose.

------
Koldark
The user experience is so different, I think using it would push users away
from the different experience.

------
Kesty
The idea is nice, but I see a couple of problem with that kind of
implementation:

1) You don't have/won't access your email account on that computer (ex:
Internet Cafe)

2) Spam filters that may delay the mail and so will delay the ability to log
in. (ex: Grey Listing)

3) Changing your email account (ex: Work Email to personal email)

~~~
chustar
The thing is when I used internet cafes, the first thing I would always open
would be email.

2 and 3 and really valid though.

~~~
DrCatbox
"The thing is when I used internet cafes, the first thing I would always open
would be email."

Seriously? Intenet cafes are the least secure computers to give your email and
password to. Sure for junk and spam-email accounts, that you dont care about
anyway. But logging in to your personal email account on an internet caffe!?
Thats madness.

------
cypherpunks01
Doesn't this need some kind of browser plugin to set your cookies with? Most
websites don't have secret token URLs that will log you in, right? What about
sites that issue cookies per-IP? Maybe I'm misunderstanding the mechanism
here, would love clarification.

~~~
peterwwillis
You put an e-mail in the box, click Submit, it sends you an e-mail with a link
to click. You click the link, it brings you to a page that sets a cookie for
you (key '_logged_in', value 'SOMEKEYSPECIFICTOYOUREMAILADDRESS'). Browse the
site with the temporary key linked to your e-mail address. When your browser
closes the cookie is gone.

If you want to log in again, repeat the process.

Now, here's why this is a bad idea: e-mails are not secure. They are sent
willy-nilly around the internet in plain text through multiple mail relays.
All one would need is to sniff traffic on a network segment that the mail
travels over and you'd have a hell of an easy time collecting login info. This
is why the passwords sent over e-mail are supposed to be _temporary_ , and why
most good password reset forms ask for additional confirmation details before
they let you reset the password.

You might think the above process would be secure if the link they send you is
de-activated the first time you click it, but anyone could just keep sending
more e-mail login requests and collecting the e-mails. The whole thing is
pretty not-secure.

------
smoyer
It's great to have a library for this ... I first encountered a service using
this type of login with www.wasitup.com (sadly now down) in 2010 and never had
an issue with logging in, though it was indeed necessary to open an e-mail
when using a new computer.

Thanks!

------
sicxu
There are security issues with this approach. However, I wouldn't mind if a
site offers both traditional login and email based login. Then, I, as a user
can choose which is the most appropriate.

------
kainio
You need a password to get into your email account. \+ You have to open your
email account every time you need to login into the website, it's a bad user
experience.

\+ What if you lose your email account password?

~~~
alexsmolen
Most people have their email open, not only on their desktop but also on their
mobile devices. Most importantly, you'd only do this once per device, unless
you need to log out or clear your cookies.

If you lose you email account password, you'd need to follow the email service
provider recovery process. Gmail, Hotmail, etc. have significant resources
dedicated to helping people with this.

------
mistercow
This is how hi-games.net has worked for years, and it's a clever
implementation, but I wouldn't want my bank to use it until we replace email
with something, you know, secure.

------
sherwin
One big problem with this approach: what happens when your email is down? Does
a website really want to tie its availability to that of Gmail / other web
mail services?

------
amccloud
Another similar application but to you mobile instead. Acts like a physical
key. <http://launchkey.co/>

------
chustar
It would be interesting if you could integrate a mail handler to this service
so that you could simply email them to request a session.

------
twodayslate
> We're sorry, but something went wrong.

------
arnarbi
Now, cue the browser plugin to which you give access to your gmail (via
OAuth), that handles this transparently.

------
astangl
Among other problems, have to put up with delays imposed by greylisting, if
your email server does that.

------
hk__2
So I have to check my emails _every_ time I want to connect to your website?
Seriously?

~~~
alexsmolen
From my blog post:

"Yes, logging in by waiting for an email and clicking a link does take longer
than entering a password. But you should only have to do this once per device.
Unless you’re constantly letting other people use your computers (and logging
out of your email client each time), you’re golden."

<http://alexsmolen.com/blog/?p=194>

------
d0m
I'm actually using this _strategy_ more often than I would like to admit.

------
leandrocp
Alex, It´s giving me an error: We're sorry, but something went wrong.

------
PlanetFunk
Combine this with google authenticator for 2 step auth?

------
zapt02
" We're sorry, but something went wrong. " :(

------
vxxzy
How do I run an webmail service with this?

------
jpswade
This works well for mobile.

------
zobzu
still annoying. i prefer browserid: zillion emails, one password =p

or password managers

------
redox
railscasts also uses an email link for a login

------
elchief
what's wrong with OpenID again?

~~~
icebraining
Regular people don't get it.

~~~
elchief
Seems to work okay on Stackexchange. Even the English and Home-Brewing
versions!

~~~
icebraining
Oh, when you said OpenID, I assumed you meant the UX concept (the idea of
logging in with an URL). since that was the level being discussed here. SE
does use OpenID, but it's essentially just a backend technology, which is
irrelevant to the user; they can login with an integrated third-party service
(Google, FB, etc) or even with a password (by choosing the SE provider).

------
taf2
We're sorry, but something went wrong.

------
drivebyacct2
This technique hits the front page once every other week. With the same flaws.
Use BrowserID. It's better than this and it paves the future towards actually
being able to truly transition away from passwords.

~~~
TazeTSchnitzel
You mean Mozilla Persona? :)

~~~
drivebyacct2
Well BrowserID is the protocol, Persona is Mozilla's implementation. You can
use BrowserID without using Persona.

------
mylittlepony
Y u no use LastPass? I've been using it for more than a year and never had a
problem. Today, I only know 3 passwords, one for each of these: LastPass, full
disk encryption in my PC, and the login in my PC.

~~~
bryanlarsen
You use LastPass, but 99% of the web doesn't. This proposal makes a web site
both easier to use for those users, and more secure.

~~~
mylittlepony
Yes your proposal is good, I was talking to the commenters, sorry.

------
aleprok
This is dumb idea and requires that you open your email to login to a site
that you want to use. Faster is just typing your username and password and
pressing the login button. Anyway browsers make this even faster by storing
the username and password.

~~~
roymabookie
Also you are kind of putting all your eggs in one basket...

~~~
aleprok
Sorry, but I do not see anything bad at saying "this is dumb idea" different
would have been if I had said "This is fucking stupid idea". Anyway my
negative points kinda were earned. :(

