Why is password still required at signup?

Just wondering: now that discourse supports login via email, is there any reason why password is still required at signup?

image.png472×527 9.59 KB

I don’t understand what you are asking? You want to prevent people from logging in with username/password? If that’s what you want, disable local logins altogether and use SSO or social logins exclusively.

No, I want people to be allowed to create a new account without providing a password.

We have no plans for that at the current time. You’d be reducing from two factors (control of email address + knowledge of secret string) to one (control of email address).

This is kinda possible. Mozilla did it with Auth0 (a third-party service) and a custom plugin, so we have regular username/password login disabled.

I must be misunderstanding something. I was thinking that if people can have a magic login link delivered to their email, why should they have to bother coming up with a password when they sign up (i.e. a password that they will never need)?

You are denying them the second security factor of a secret password string at that point, though. I agree that if their email is compromised they are hosed either way, since a password reset can be issued via email.

No, not denying. Just not requiring it.

The other downside is that if you lose control of the email in that scenario you literally can’t log in. Whereas if you lose control of email with a password on your account, at least you can log in to the website and PM the staff to help fix it (associate another email).

I actually kind of like the idea of not requiring passwords. It gets rid of some of the hurdles to create a new account in the same way oauth does. Oauth already doesn’t require a password for new accounts - if a user only signs in with oauth and loses access to the oauth account, same boat.

Are you aware of any large-ish mainstream site that has done away with passwords on local accounts entirely? I’m not…

I’m actually annoyed that I’m finding nothing to answer your question. Auth0, for all it brags about how passwordless is the future still requires a password to signup on its own site. So I suppose this is only a pipe dream.

For sites that don’t offer oauth and offer sign-in email and I can’t be bothered to add the passwords to a manager, I type garbage in the field just to have something, and rely on the reset password/password signin links. It’s functionally the same (for me) as having no password.

Don’t do that, use the browser autogen password features… this is enabled in all new Chrome browser versions as far as I know. Right click to trigger.

image.png1013×748 46.7 KB

So requiring a password is useful only for people who know their password and lose control of their email address. That seems like a pretty small set of circumstances, as in my limited experience, people who have lost control of their email address usually don’t notice until they try to reset their password.

Cool! I can stop pseudo-randomly whacking my keyboard. (But the people that I’ve been dealing with on a new migrations aren’t capable even of whacking random keys on their keyboard. They’ll never find that generate password thing.)

Definitely on the ish-end of large but: https://opencollective.com

That is a reeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeally generous interpretation of the word “large”.

But that will also save the password in the browser’s keychain, right? Not the safest thing to do.

And: mobile. In fact, for me this passwordless thing is mainly about mobile. I use keepass on all my desktops but generating and saving a new password on mobile is still a pain (and probably will be for a long time).

It is bad on mobile but not terrible if you are using lastpass (or are locked into the safari world), cause it integrates into safari, so I can simply “fill password” in two clicks.

I’m using keepass (also on mobile) and it works fine filling in existing passwords. Are you saying that Lastpass also allows you to create a new password in two clicks?