This article is more than 1 year old

Small change to Medium takes large axe to passwords

'This login will self-destruct in 15 minutes'

Let's file this under “what could possibly go wrong?”: blogging platform Medium has decided to skip passwords in favour of a one-time-pad* single-use-token approach.

If you're a cool kid who doesn't mind your credentials being shared, you can still sign in with Twitter or Facebook, but there still exist Luddites who want to use a unique ID to log into Medium, and among those, there's still a significant fraction who reckon nobody else every used “passw0rd” as their password.

The Twitter/Facebook approach also has problems for people who want to blog on Medium: if they want anonymity, they at the very least need to suffer the inconvenience of creating a dummy account; some people don't have Twitter or Facebook accounts (or the services are illegal where they live).

So instead, if you click the “log in” button on Medium, you'll get e-mailed a login link that lasts for 15 minutes – a use-once-and-discard access token.

Medium's Jamie Talbot explains the decision thusly:

“It sounds counterintuitive, but this is actually more secure than a password-based system. On most services, if someone guesses or cracks your password, they gain access to your account until you change your password, which might not be for a long time. You might never know that they have access. With this email-only system:

  • You’re automatically notified when someone tries to sign in.
  • The sign in link expires after a short amount of time.
  • The sign in link can only be used once.

For the rapturous applause this move has received by less technical media, The Register notes that Talbot's post waves away an important point – that this move means the security of your Medium account is no better than the security of your e-mail.

“Even if Medium required passwords, we’d need a forgot password system, and they could use that to gain access by sending a password reset to your email address”, Talbot writes.

“Access to your e-mail” doesn't need to be as sophisticated as a hack. It may merely be that a co-worker leaves their laptop logged in while they visit the bathroom or fetch coffee.

So El Reg will watch with interest. If this solution proves workable, we'll applaud, but between ourselves, we don't expect the feature to last. ®

*Bootnote: Corrected to avoid confusion between the author's metaphor and the accurate meaning of "one-time pad". &reg

More about

TIP US OFF

Send us news


Other stories you might like