Medium's not terribly sensible password-less way to log in

MediumBlogging platform Medium thinks it has come up with a really clever idea.

But I'm not so sure.

In a blog post, the site - which has previously allowed users to access Medium via Twitter or Facebook social logins - is introducing a new system that will allow you to log into Medium using your email address, but without requiring a password.

Today, we’re pleased to offer sign in and account creation on Medium using only your email address.

Authentication is serious business. We wanted to make our sign in process as secure and simple to use as possible, across all platforms. Passwords are neither secure nor simple. They're hard to remember or easy to guess, everyone re-uses them (even though they know they shouldn’t), and they’re a pain to type on mobile. They don't even keep you that safe.

Let's look at that bit by bit:

Passwords are neither secure nor simple.

Well, they can be - with a good password manager.

They're hard to remember or easy to guess

Not true - if you use a good password manager.

everyone re-uses them (even though they know they shouldn’t)

No they don't. Okay, so a lot of people do unwisely re-use passwords. But a good password manager can prevent that.

they’re a pain to type on mobile

Umm.. no, they don't have to be. If (yes, you guessed it) you use a good password manager.

So, now I've successfully debunked those opinions by Medium, let's look at how the site says its email-only authentication will work:

When you want to sign in to Medium, we’ll send you an email that contains a special sign in link. Clicking on that link will sign you in. That’s all there is to it. If you’ve ever used a “forgot password” feature, it works a lot like that, except you don’t have to forget a password to use it.

Medium email

In other words, if your email account is ever hacked - the bad guys now have access to your Medium account too.

And if you ever leave your computer unlocked and unattended, a passer-by could access your Medium blog as well.

I would say that that's not a terribly sensible move by Medium.

Yes, too many internet users choose poor passwords, or reuse them on multiple sites.

But I think Medium would have done better to promote the use of password managers and some form of two-factor authentication rather than trying to kill off passwords entirely.

If they really wanted to offer higher levels of security they could require additional levels of authentication if they see a blogger sign-in from somewhere unexpected - or from a device that hasn't been used for the purpose before.

If you're going to reinvent your login system, why not maximise its security?

Don't get me wrong - I like that Medium appears to be no longer requiring users to own a Twitter or Facebook account. But I think they've gone the wrong way about opening up the service to other internet users. It seems a backwards-step to not also allow those users capable of choosing complex, hard-to-crack, unique passwords to opt for the traditional email/password method.

What they've done means that your Medium account is now only as secure as your email inbox. I hope you're doing a good job of protecting that.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

13 Responses

  1. Bob

    July 1, 2015 at 12:36 pm #

    And logging in sounds like a pain in the ass.

    What if I'm using a computer and don't want to log in to my email account?
    What if I access the link using my mobile? I'd only be able to access it on the device.

    A better, but not perfect (for the reasons given by Graham) alternative, would have been to send a one-time code to your email/mobile. Then at least you'd be able to log in the circumstances I have given above. I'm sure there are other scenarios too.

  2. Richard

    July 1, 2015 at 12:45 pm #

    Hi Graham,

    Great topic to start a debate on – and an interesting move by Medium. Just wanted to check your logic though.. because surely if 'the bad guys' have hacked your email then they can have access to ALL your services that provide a 'forgot password' service linked to your email identity ? Same applies to the case you describe of leaving your workstation unattended – with a password protected service, they can still chose reset password and follow the flow.
    Fully agree that password managers should be promoted but are you sure they've made things any worse by simply instigating a permanent state of 'forgot password' rather than the previous assumption that this only happens sometimes ?

    Richard.

    • Graham Cluley in reply to Richard.

      July 1, 2015 at 1:02 pm #

      Hi Richard

      "surely if 'the bad guys' have hacked your email then they can have access to ALL your services that provide a 'forgot password' service linked to your email identity ?"

      Yes, *if* the service doesn't ask you to answer some kind of security question to change the password or *if* it doesn't require you to confirm yourself through some form of two-factor authentication that you're authorised to reset your password.

      Hopefully services taking security seriously make you jump through some kind of hoops to confirm you are authorised to request a new password, rather than just emailing you a "reset password" link which could instantly allow a bad guy in.

      • Richard in reply to Graham Cluley.

        July 1, 2015 at 2:30 pm #

        Agreed – so your beef with these folks is in fact more to do with their lack of a 2nd factor than their 'clever idea' of equating access to an email account with knowledge of a password (as effectively these 2 constitute a single factor for services who allow reset by email).

  3. Dinosaur

    July 1, 2015 at 3:18 pm #

    "It seems a backwards-step to not also allow those users capable of choosing complex, hard-to-crack, unique passwords to opt for the traditional email/password method."

    I would agree with this statement if there were not a (??simple??) method to effectively login with a secure password.

    Simply create a dedicated email account with an email provider such as iaqwu9te3uikg0o3wx2pamuax6ie6bt9d2bop5rk@gmail.com, keeping both the email address and its secure password in your password manager.

    Simple https://youtu.be/Hl545RF6dXA

  4. Name required

    July 1, 2015 at 4:00 pm #

    Just logged on to Medium for the first time. I must say after looking there is no reason I would care if my account was hacked. It's just rubbish published by ourselves.

    • Matt J. in reply to Name required.

      July 4, 2015 at 12:11 am #

      Lots of blogs turn into mostly 'rubbish' . But if you are one of the few determined to raise the level of discussion on at least a few threads, you really don't want someone sabotaging your efforts by impersonating you.

  5. Coyote

    July 2, 2015 at 1:43 am #

    "Passwords are neither secure nor simple."
    Actually, it seems they are rather simple. Most use basic passwords, after all, and they are often reused. That means they are easy to remember (see below and [1]). Passwords are a weak link to what should be a long chain of security. Consequently, passwords by themselves are indeed weak. But so are other things by themselves. For instance, your logic is very weak (as I get to below).

    "They're hard to remember or easy to guess,"
    You have that reversed. It is hard to guess and easy to remember. Or at least, without password managers, that would be the way to go about it. Yet your statement above ('nor simple') contradicts this, doesn't it? If they aren't simple then why are they easy to guess?

    "everyone re-uses them (even though they know they shouldn’t)"
    Everyone is a far stretch of the imagination. But.. it does make one think (and probably not too much of a stretch of the imagination) that YOU do re-use passwords. I wouldn't at all be surprised if that is the case. Given your other points, it seems plausible. But never mind that.

    "and they’re a pain to type on mobile."
    Maybe so. I can't really judge there because I hate phones (technology is one thing, the actual device is another).

    "They don't even keep you that safe."
    QUESTION: how do you think your users access email? That is, how do they authenticate? Magic? Or maybe they log in to another email account? Perhaps they log in to Medium (which means another email)? Basically you've taken a password out of the equation. Yet you point out they don't keep you 'that safe'. So wouldn't you want more than one? Yet you instead remove one. Trying to improve security by removing a link in the chain… that boggles my mind. Not sure I am surprised, but it really is hard to imagine. It is certainly a terrible idea unless you would rather weaken security (which unfortunately you are doing).

    Brilliant. Also logical, very logical indeed. And 1+1 = 10, right? (Okay, to be fair, it IS 10 in binary.. but many wouldn't understand this…)

    [1] Also, while on the subject of simple. If you look at the most abused passwords, you would understand that they are actually far too simple. What with password, password123, qwerty, a sequence of digits (in numerical order), a sequence of letters (in lexicographical order) or the same digit or letter X times. Yes, very complicated indeed…

  6. Techno

    July 2, 2015 at 10:15 pm #

    I just noticed yesterday that Virgin Mobile seem to have disabled paste in the password field. Some websites already seem to disable right-click on this field but you can still use Ctrl-V. But Virgin Mobile seem to have gone the whole way and completely disabled it.

    This makes my password manager more inconvenient as I have to type the long and difficult password in letter by letter.

    This seems to be a well-meaning change that actually makes things more insecure as it will discourage the use of password managers and difficult passwords. If all websites do it then my password manager effectively becomes useless.

    • Gary Williams in reply to Techno.

      July 3, 2015 at 1:03 pm #

      I hate sites which disable copy and paste. Every site I create an account on has a different, strong password thanks to Keepass. the sites which disable copy n paste just make it harder for me to copy n paste from keepass and so tend to be the ones that have weaker passwords. It's a totally stupid "security" measure.

      • Techno in reply to Gary Williams.

        July 5, 2015 at 7:57 am #

        I've worked out a way round it in Keepass. Change the auto-type for the entry so that it is {PASSWORD} only (delete everything else). Then place the cursor in the password field, right-click and select "Perform Auto-Type". This inserts the password one character at a time.

  7. SolutionShark

    July 7, 2015 at 7:21 pm #

    Here is a good alternative way to using password managers that is illustrated well by Mozilla in this video – https://plus.google.com/+SolutionSharkPlus/posts/d5Z9F95BgrP

  8. Angus Bradley

    September 7, 2016 at 11:12 am #

    >>Not true – if you use a good password manager.
    You may overestimating the ability of the average user here. Many of our users have no idea what a password manager is, let alone how to use it.

Leave a Reply