Passwords Are Bad UX

My spicy hot opinion of the week: passwords are bad UX.

Why do we force users to create passwords? Better yet, why do we force them to create a password, impose significant limitations on how they create it, and then punish them if they cannot remember it?

We live in an internet age, where web applications assist in essential and common human interactions every second of every day. Every one of those web applications requires that users create a password. And every password we require users to create makes them worse off.

Users are worse off with passwords because it creates opportunities for pain where they did not exist before. All of these scenarios occur when you force users to create a password:

1. Users must remember the password, or pay for a tool that will remember/create the password for them.
2. Users must walk through cumbersome password recovery flows if they forget their password.
3. Users will randomly get kicked out of applications when their auth token expires, leading to (1) and (2)
4. Users must monitor or pay for software that monitors every password they've ever made, in case this information is leaked to the dark web.

When a user encounters one of the above while using your application, they can attribute their pain directly to you and your app.

I would argue that it is irresponsible from a UX/UI perspective (not just a security perspective) to force users to create passwords.

Is there no better way to ensure a secure connection than a piece of text? Well, of course there is. For example, Google has rolled out passkey support for Google Accounts. This gets rid of passwords AND 2FA for Google accounts that opt in.

However, there may be other options, and I urge you all to sit down and think for a few minutes today about the question:

What would the world look like without passwords?

Comments

[Phil Ashby]

Thanks for the amusing hype about one of our (devs) favourite topics - authentication 😁

• I definitely agree that passwords are bad UX!
• It's not too new a take, indeed Dan Goodin wrote an excellent article for Ars Technica last year: arstechnica.com/information-techno...
• There are of course free password managers (I use one: KeePassXC), however there are good and bad points about the use of such tools..
• Access recovery flows cannot be eliminated, however they can be eased by having a number of alternate credentials (as Google offers), with 'passkeys' being one of them.
• "Passkeys" is a marketing term which appears to be sticking (no problem there, but I wanted to point it out), the official protocol proposals are defined by the FIDO alliance, in particular the latest CTAP 2.1 and WebAuthn 2 available here: fidoalliance.org/specifications/do... and which are worth reading as a dev 😉

Thanks again for contributing to DEV!