Why is password still required at signup?


(Christoph) #1

Just wondering: now that discourse supports login via email, is there any reason why password is still required at signup?


(Jeff Atwood) #2

I don’t understand what you are asking? You want to prevent people from logging in with username/password? If that’s what you want, disable local logins altogether and use SSO or social logins exclusively.


(Christoph) #3

No, I want people to be allowed to create a new account without providing a password.


(Jeff Atwood) #4

We have no plans for that at the current time. You’d be reducing from two factors (control of email address + knowledge of secret string) to one (control of email address).


(Tanner Filip) #5

This is kinda possible. Mozilla did it with Auth0 (a third-party service) and a custom plugin, so we have regular username/password login disabled.


(Christoph) #6

I must be misunderstanding something. I was thinking that if people can have a magic login link delivered to their email, why should they have to bother coming up with a password when they sign up (i.e. a password that they will never need)?


(Jeff Atwood) #7

You are denying them the second security factor of a secret password string at that point, though. I agree that if their email is compromised they are hosed either way, since a password reset can be issued via email.


(Christoph) #8

No, not denying. Just not requiring it.


(Jeff Atwood) #9

The other downside is that if you lose control of the email in that scenario you literally can’t log in. Whereas if you lose control of email with a password on your account, at least you can log in to the website and PM the staff to help fix it (associate another email).


(Jeff Wong) #10

I actually kind of like the idea of not requiring passwords. It gets rid of some of the hurdles to create a new account in the same way oauth does. Oauth already doesn’t require a password for new accounts - if a user only signs in with oauth and loses access to the oauth account, same boat.


(Jeff Atwood) #11

Are you aware of any large-ish mainstream site that has done away with passwords on local accounts entirely? I’m not…


(Jeff Wong) #12

I’m actually annoyed that I’m finding nothing to answer your question. Auth0, for all it brags about how passwordless is the future still requires a password to signup on its own site. So I suppose this is only a pipe dream.

For sites that don’t offer oauth and offer sign-in email and I can’t be bothered to add the passwords to a manager, I type garbage in the field just to have something, and rely on the reset password/password signin links. It’s functionally the same (for me) as having no password.


(Jeff Atwood) #13

Don’t do that, use the browser autogen password features… this is enabled in all new Chrome browser versions as far as I know. Right click to trigger.


(Jay Pfaffman) #14

So requiring a password is useful only for people who know their password and lose control of their email address. That seems like a pretty small set of circumstances, as in my limited experience, people who have lost control of their email address usually don’t notice until they try to reset their password. :wink:

Cool! I can stop pseudo-randomly whacking my keyboard. (But the people that I’ve been dealing with on a new migrations aren’t capable even of whacking random keys on their keyboard. They’ll never find that generate password thing.)


(Erlend Sogge Heggen) #15

Definitely on the ish-end of large but: https://opencollective.com


(Jeff Atwood) #16

That is a reeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeally generous interpretation of the word “large”.


(Christoph) #17

But that will also save the password in the browser’s keychain, right? Not the safest thing to do.

And: mobile. In fact, for me this passwordless thing is mainly about mobile. I use keepass on all my desktops but generating and saving a new password on mobile is still a pain (and probably will be for a long time).


(Sam Saffron) #18

It is bad on mobile but not terrible if you are using lastpass (or are locked into the safari world), cause it integrates into safari, so I can simply “fill password” in two clicks.


(Christoph) #19

I’m using keepass (also on mobile) and it works fine filling in existing passwords. Are you saying that Lastpass also allows you to create a new password in two clicks?