My spicy hot opinion of the week: passwords are bad UX.
Why do we force users to create passwords? Better yet, why do we force them to create a password, impose significant limitations on how they create it, and then punish them if they cannot remember it?
We live in an internet age, where web applications assist in essential and common human interactions every second of every day. Every one of those web applications requires that users create a password. And every password we require users to create makes them worse off.
Users are worse off with passwords because it creates opportunities for pain where they did not exist before. All of these scenarios occur when you force users to create a password:
- Users must remember the password, or pay for a tool that will remember/create the password for them.
- Users must walk through cumbersome password recovery flows if they forget their password.
- Users will randomly get kicked out of applications when their auth token expires, leading to (1) and (2)
- Users must monitor or pay for software that monitors every password they've ever made, in case this information is leaked to the dark web.
When a user encounters one of the above while using your application, they can attribute their pain directly to you and your app.
I would argue that it is irresponsible from a UX/UI perspective (not just a security perspective) to force users to create passwords.
Is there no better way to ensure a secure connection than a piece of text? Well, of course there is. For example, Google has rolled out passkey support for Google Accounts. This gets rid of passwords AND 2FA for Google accounts that opt in.
However, there may be other options, and I urge you all to sit down and think for a few minutes today about the question:
What would the world look like without passwords?
Top comments (1)
Thanks for the amusing hype about one of our (devs) favourite topics - authentication π
Thanks again for contributing to DEV!