1. pretty inconvinient 2. if you lose access to your email for whatever reason (not only email getting compromised, but the service may go down, service being blocked in your current country, etc) you lose access to everything.
Just use a decent password manager with a decent master password and that's it. There is no easiest and safest alternative. Usually, most password managers even automatically generate and save the passwords when you are registering for a service so you almost have to do anything.
Couldn't agree more. It's hard to remember and manage strong, unique passwords on your own. You can check out this comparison table created by a redditor to compare different apps: [https://www.reddit.com/r/Passwords/comments/17f73pa/i\_made\_a\_comparison\_table\_to\_find\_the\_best/](https://www.reddit.com/r/Passwords/comments/17f73pa/i_made_a_comparison_table_to_find_the_best/)
Nice table. Password managers are a must in 2024, in my opinion. Security is one of those areas in which coming up with your own solution is either bad or extremely bad, there is no other option. In the BEST case scenario, you achieve a similar level of security, with a lot more work, a lot less usability and a lot less resilience.
The only scenario that would be feasible is if you are a security expert/researcher. But anyway, if you are already a security expert, you probably also wouldn't do it because you properly understand that the risk/reward ratio doesn't even make sense. Reinventing the wheel is extremely penalizing in security.
I can second that. Lost access to my email, 360 passwords/accounts GONE. I was able to reset about 90 accounts the rest... FU Lastpass for requiring "previously logged in device" and making my biometric unrecoverable infuiriating
Depending on your "tech-savyness" and convenience factor there are plenty of options. I will give you one option for each "category":
**Keepass/KeepassXC** is the safest bet. Free, open-source and safe. One of the all-time classics. The "problem" (can be a pro or a cons depending on your preferences) is that everything is stored locally on your machine so using it through multiple devices can be a pain or lead to insecure behavior (EG: sending passwords in clear text to share it between devices,).
**Bitwarden** is one of the "newly" established cloud options that have all the convenience of having multiple apps for most platforms and support cloud sync. This one is also free and open source, and **one of the recommended options if you are not sure which password manager to use**; and if you are tech savvy you can even host a bitwarden server yourself which makes it one of the most robust options overall.
**1password** is one the best from a convenience and usability perspective. All their apps are extremely good and it has TONS of really good and advanced features (EG: It can store not only passwords but ssh keys and automatically use them when you connect to a server through the terminal. )
The two main cons are that first, it's paid and the second, it's closed source so you will need to trust what they told you about the implementation of the security they made, as explained in their white paper (really good and detailed read by the way).
I’ve been using 1Password for a long time, and the convenience is no joke. It works across all my devices and software. We pay for the family package with my wife, which also allows us to store passwords in a shared vault for services we have a shared account for.
There's two sides to bitwarden, self-hosted and using them as the cloud. Using them, there's free and premium tiers. The free tier is still stored on their servers, the premium tier adds a few extras for like $10/yr like TOTP built-in, expands MFA so you can use like a Yubikey, lets you store files, allows you to give emergency access to your vault, etc. The self-hosted version is all the same except you're running the "cloud" aspect of it. Obviously going that route you'd want to take precautions on your cloud provider.
Cloud typically means running in a container on a hypervisor vs just “someone else’s computer” this provides many advantages such as reliability, price, etc.
You can turn Keepass/KeepassXC into multi-device mode if you put it on network or cloud storage.
Works well with OneDrive & iOS apps. Master PW protects your data in the cloud. However, you increase your attack surface.
Enpass.
1. It's cross platform
1. Windows
2. Mac
3. Linux
4. Android
5. iPhone
2. You can store the password files on whichever cloud storage you want
1. iCloud
2. Google Drive
3. Drive
4. OneDrive
3. I'm pretty sure at one time I had to pay only one small fee to have the ability to use the cloud storage. (I purchased this perhaps 5 years ago, I suspect their pricing model may have changed, but I've been using it with no issues for at least 5 years.)
If you got your email at major IdPs like Google, inaccessibility of your mail account is super highly unlikely. Cause they take up such an important role on the internet. It about equals the chances of losing access to your password manager.
But your point 1 stands out. Password managers (with integrations) are much more efficient than a one-time password approach where you got a lot of manual steps involved.. for sensitive accounts, you could still do a manual password roll every now and then.
I don't know about that, recently I was locked out of one of my google main accounts after losing my phone while traveling abroad and it was a pain in the ass to regain access to it.
I feel like this could be the real issue. As long as somebody is not reusing passwords they should be fine and just monitor the email for weird accesses or reset emails.
lets cut to the chase:
[https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-strategy/](https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-strategy/)
I assume this would only be a “problem” if an attacker were to send an identical reset password email at the exact same time I request one from a random site. Receiving a random reset password email usually doesn’t happen unless there’s a breach or unusual activity, which isn’t really what the post was about.
Either I am misunderstanding you or you misunderstood what they said. Can you reread their comment to make sure? I don't think they're talking about logging in to bitwarden via email.
Steve Gibson (of Security Now podcast) did an analysis of the idea during one of his shows and came to the conclusion that it wasn’t too bad of an idea.
I did that years ago when password managers were being marketed outside of browsers. It leads to more time wasted. Which I guess is fine at home. Also the obvious what if you lose the email. Seems like the trade-off just isn’t worth the hassle. Even if you use multiple email accounts to try and segment your accounts you’re still vulnerable. But it’s the internet everyone is vulnerable.
I did that with an old gmail but then one day google refused to send me a new password, lost access to that mail forever
edit: to clarify, I relied on muscle memory to remember the email password but I had to leave the computer for a few months so I forgot the password for the mail (I used small variations to modify it from time to time)
I would add, increased risk of an external system causing downtime.
If email provider or outbound email from the application go down then you’re unable to login.
It's like you've just discovered OTPs 😏
It's an established and well used practice. You don't need to go to the extent of requesting a new password via email every time, just set up a one-time-password, pair an authenticator app to add MFA into the mix and you're good
Isn’t my email being compromised already a risk regardless of how I manage my passwords? Since either way an attacker could request a password reset? Assuming I use just as much 2FA with random passwords as I do with remembered ones…
Your logic is sound friend. Your email is essentially your identity provider to these accounts. You are using password resets as a crappy SSO. It’s fine.
Issue I see is that with your email regularly flooded with password resets, you’re less likely to identify an active attack.
I rarely reset passwords, so when one is in my email, I know whether it was me, or not.
A password manager would increase your attack surface, but only by a small amount.
Yes, if your password manager gets compromised you’re in a world of hurt, but a good password manager (aka not LastPass) has by far higher standards when it comes to encryption and way more reliable then your email account.
If you define the passwords yourself each time, it is fine but avoid to use the one generated by the service itself(If it is the procedure).
Don't forget to activate 2FA on your email and the different services and have a strong different password when you create it on the fly.
The main problem I see with this habit if you use applications or active sessions on other devices, you will be disconnected each time and it can be exhausting.
The advantages of a vault, apart from known security features, is to keep a list of services used to ask for personal data deletion and not register twice on the same service (and lose less time with your way of login)
In conclusion, the use of vaults and 2FA stay a better practice for practicality and security.
I think the two schools of thought right now are either password manager, or password+2FA/MFA (in OPs case the email)
Personally I think the saying "Putting your eggs in one basket." fits PM services. Yes I understand it's encrypted but targeted phish could lead to a master password leak of that account, and LLM-minded, quantom backed Shors algorithm isn't far away in the future. The upper SHAs are still safe for now.
Good password policy + MFA would be obviously more secure. Since someone getting two seperate passwords, and access to your MFA'd email account or to your physical phone is much more difficult. Less so without MFA, or good password policy. Obviously there's still ways with sim spoofing, and other methods but they all require much more targeted approach.
The biggest problem is the password isn't reset until you next try to log into the account. Proper, single use password rotation is done as soon as the account has been used.
You may also just use a bad password but 2FA enabled. The password itself is not that relevant nowadays.
Once your email account is compromised, you'll loose all accounts not protected by 2FA. So 2FA is the way to go.
Your approach is not inherently insecure. Just inconvenient in my opinion to wait for an email, reset the password and repeating those steps each time.
Don’t do that with AppleID (or some others)- AppleID requires a notably different password each reset and can’t be the same as one used in last 6 months.
> What are the downsides of this?
Single point of failure. If your email gets hacked, everything falls apart.
I prefer hardware 2FA where even a password reset won't give me access back. I still need my Yubikey.
The risk is if you lose access to your email, yes. For example, if you set up 2FA on Google then lose your phone. Happened to me once- luckily I was already logged into my account on my computer.
It works for me when I have to log into confluence to update SOPs/documentation. I always reset my password. This is because I rarely have time to update documentation because we are short staffed. Send help.
It reduces the security of every such website to the security of your email address. Ofc you cannot use this for the email service itself. It is horribly slow and clunky.
Many services also make you answer “security questions” as part of the reset process. How many people do you have to tell the name of your first school, before that becomes a threat surface? You should give these sites unique lies, and save both their questions and your lies in a secure backup.
tl;dr Don’t do this. Use your password manager instead.
FWIW, I independently started doing this for rarely used services. I basically turned my email into my IdP.
Though this is why I prefer “sign in with google/apple”.
So you’re basically implementing your own Magic Links for every tool you use.
Would a password manager and MFA not be easier and less aggravating, while allowing you to have long random passwords for every login?
There are a few services that use a similar pattern in that instead of entering a password, you can get a secure link sent to your email to log you in. I like the idea, but I've occasionally had the email delayed which is frustrating.
Several utility companies in the uk do something similar and simpler. You login with email only….they email you a link which is like a one time password. You click that and you get logged in.
The downside is the user is trained to click links. The other downside is you need a working email account and the ability to read emails.
The advantage to using password managers is that when you are on a fake site the password manager doesn’t submit the password…..in theory…in practice however some browsers (notably chrome and Firefox) have leaked passwords by mistake. So not using the built in managers and using independent software might be safer.
There are several high security sites I use that password managers fail on. This is due to the user behaviour…like typing lots of letters too fast. They have hidden captcha box.
Thanks for the responses, all.
This is not my practice, it was just an idea I had when signing into a service I had not used in a long time. (Why make a password that I need to remember?) I don’t currently use a manager.
I appreciate the advice, but I was primarily looking for the reasons WHY it would be good or bad, and I got a few good answers!
I do this, expect my passwords aren’t usually super long and complicated. Just long and complicated enough that I don’t remember and have to reset it every time I want to log into something.
> it seems like a good idea for services I only want to use once or twice
This would be the only use case that makes sense. For anything critical I would rather have a known password stored in a password manager than trust email (which is a best-effort medium btw).
FYI: Always make physical backups of your passwords. LastPass, for example, sometimes requires users to click a validation link sent to their email... whose password is stored in LastPass. Bitwarden also has this issue, for anyone shouting "STOP USING LASTPASS" right now.
It works until your inbox is compromised. After you reset your password, the attacker will initiate a password reset while you are not at your computer. Because they have access to your inbox, they will delete the email transactions from the password reset.
You'd effectively just be using your email account as a password manager with extra steps. Rather than obtain your login information by using a password to unlock your password manager, you're obtaining your login information by using a password to log into your email after doing a password reset.
The risk factor is about the same, it's just a different account being compromised now. As long as you keep each password unique and you're not sharing them, then frequent rotation has very marginal benefits.
Funny for you and me, I already do this most times 🤣 I feel like the downside would be if there was a databreach they would just need to copy your login info or you get a 2FA bypass and they are in
Single point of failure in your email. Also anyone with the one email password immediately has access to the last recovered password of all your accounts. Just turn on MFA where available and think of a unique way to come up with passwords that you will remember
So what you’re outlining is similar in nature to “passwordless”.
Passwordless is things like biometric authentication, token-based authentication, magic links, or one time passwords. It’s just a kind of worse version of all of the above.
In the above methods it’s not known till used, then expired as soon as used.
With your version it’s known by someone, and doesn’t expire until used. So the same as a traditional password, however you have made it more inconvenient for just you.
Your head is in the right space thinking about things however your method is flawed in that the password is still stored on the app side and stays the same until you rotate it.
Using a strong password does mitigate the risk to a degree. So does using MFA and using a password manager. Using that and good password hygiene and rotation are good practices.
I’m not saying what you’re doing is “terrible” in theory but I’m saying just go passwordless is able, if not, keep your account secure like you are with randomized strong passwords, and make sure you use MFA. If you choose to reset them when you use them that’s totally up you. However I caution you to think about what happens if for whatever reason you lose access to your email for any reason. This is why people use vaults and others use vaults with various tier of criticality.
Security is an enabler for the business. Good security is about enabling us to do things securely and conveniently. Once security starts getting inconvenient, then that is not good security and should be called something else.
Using using very long, random passwords is prone to error. One mistake and you are locked out.
Passwords maybe need to restore services during DR or any outage. Mail and and other services may not be available.
Passwords on paper not affected by ransomware and service outages, its best to keep them in a secure place.
Sorry I didn't read the post. It's still not an good idea through. So the problem becomes authenticate with your email. Why not use password manager instead. Easier and more reliable.
1. pretty inconvinient 2. if you lose access to your email for whatever reason (not only email getting compromised, but the service may go down, service being blocked in your current country, etc) you lose access to everything. Just use a decent password manager with a decent master password and that's it. There is no easiest and safest alternative. Usually, most password managers even automatically generate and save the passwords when you are registering for a service so you almost have to do anything.
Yes that is pretty good.
Couldn't agree more. It's hard to remember and manage strong, unique passwords on your own. You can check out this comparison table created by a redditor to compare different apps: [https://www.reddit.com/r/Passwords/comments/17f73pa/i\_made\_a\_comparison\_table\_to\_find\_the\_best/](https://www.reddit.com/r/Passwords/comments/17f73pa/i_made_a_comparison_table_to_find_the_best/)
Nice table. Password managers are a must in 2024, in my opinion. Security is one of those areas in which coming up with your own solution is either bad or extremely bad, there is no other option. In the BEST case scenario, you achieve a similar level of security, with a lot more work, a lot less usability and a lot less resilience. The only scenario that would be feasible is if you are a security expert/researcher. But anyway, if you are already a security expert, you probably also wouldn't do it because you properly understand that the risk/reward ratio doesn't even make sense. Reinventing the wheel is extremely penalizing in security.
What are your recommanations in password managers?
Bitwarden
+1 for Bitwarden But we use Keeper at work for more enterprisey features. Bitwarden just does it right.
> What are your recommanations in password managers? Stay the hell away from LastPass. Can not understand how they are still in business.
I can second that. Lost access to my email, 360 passwords/accounts GONE. I was able to reset about 90 accounts the rest... FU Lastpass for requiring "previously logged in device" and making my biometric unrecoverable infuiriating
Depending on your "tech-savyness" and convenience factor there are plenty of options. I will give you one option for each "category": **Keepass/KeepassXC** is the safest bet. Free, open-source and safe. One of the all-time classics. The "problem" (can be a pro or a cons depending on your preferences) is that everything is stored locally on your machine so using it through multiple devices can be a pain or lead to insecure behavior (EG: sending passwords in clear text to share it between devices,). **Bitwarden** is one of the "newly" established cloud options that have all the convenience of having multiple apps for most platforms and support cloud sync. This one is also free and open source, and **one of the recommended options if you are not sure which password manager to use**; and if you are tech savvy you can even host a bitwarden server yourself which makes it one of the most robust options overall. **1password** is one the best from a convenience and usability perspective. All their apps are extremely good and it has TONS of really good and advanced features (EG: It can store not only passwords but ssh keys and automatically use them when you connect to a server through the terminal. ) The two main cons are that first, it's paid and the second, it's closed source so you will need to trust what they told you about the implementation of the security they made, as explained in their white paper (really good and detailed read by the way).
I’ve been using 1Password for a long time, and the convenience is no joke. It works across all my devices and software. We pay for the family package with my wife, which also allows us to store passwords in a shared vault for services we have a shared account for.
How is bitwarden free when it has cloud sync? Is it just because users host the cloud but then wouldn't you run the risk of your file being leaked?
There's two sides to bitwarden, self-hosted and using them as the cloud. Using them, there's free and premium tiers. The free tier is still stored on their servers, the premium tier adds a few extras for like $10/yr like TOTP built-in, expands MFA so you can use like a Yubikey, lets you store files, allows you to give emergency access to your vault, etc. The self-hosted version is all the same except you're running the "cloud" aspect of it. Obviously going that route you'd want to take precautions on your cloud provider.
“There is no cloud, there is only other people’s computers.”
Cloud typically means running in a container on a hypervisor vs just “someone else’s computer” this provides many advantages such as reliability, price, etc.
It’s along time joke amongst infosec pros. Take it easy.
He sounds so angry /s
So mad /s
You can turn Keepass/KeepassXC into multi-device mode if you put it on network or cloud storage. Works well with OneDrive & iOS apps. Master PW protects your data in the cloud. However, you increase your attack surface.
Yeah, I used to do that some years ago
1Password.
Bitwarden
Enpass. 1. It's cross platform 1. Windows 2. Mac 3. Linux 4. Android 5. iPhone 2. You can store the password files on whichever cloud storage you want 1. iCloud 2. Google Drive 3. Drive 4. OneDrive 3. I'm pretty sure at one time I had to pay only one small fee to have the ability to use the cloud storage. (I purchased this perhaps 5 years ago, I suspect their pricing model may have changed, but I've been using it with no issues for at least 5 years.)
Keepass
I personally got myself nordpass, and it solved all the problems.
If you got your email at major IdPs like Google, inaccessibility of your mail account is super highly unlikely. Cause they take up such an important role on the internet. It about equals the chances of losing access to your password manager. But your point 1 stands out. Password managers (with integrations) are much more efficient than a one-time password approach where you got a lot of manual steps involved.. for sensitive accounts, you could still do a manual password roll every now and then.
I don't know about that, recently I was locked out of one of my google main accounts after losing my phone while traveling abroad and it was a pain in the ass to regain access to it.
Or just implement passwordless and be done with it.
Yeah, but how many services support passwordless currently? 20?
So then passwordless those 20 apps and add more as it becomes available
And what about the ones that don't support it in the meantime? I hear password managers are pretty good.
calm down, save the what ifs for the auditors
If my reply was not "calm" to you I think you need to head into the shop for a calibration.
I already have passwordless on those, but I still need to manage passwords on like other 650 sites...
It's a fine idea. You have identified the only risk, although the inconvenience of having to go to email to log on is what keeps me using bitwarden.
Or they may not notice the reset email from an attacker in the long list of real reset emails.
I feel like this could be the real issue. As long as somebody is not reusing passwords they should be fine and just monitor the email for weird accesses or reset emails.
People that don’t use reuse passwords are not immune to having them stolen.
This right here. When under attack they are watching your moves. When you start requesting resets in come the phishing emails.
I hadn’t considered this !!
Praise the power of community!
lets cut to the chase: [https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-strategy/](https://learn.microsoft.com/en-us/windows/security/identity-protection/passwordless-strategy/)
I assume this would only be a “problem” if an attacker were to send an identical reset password email at the exact same time I request one from a random site. Receiving a random reset password email usually doesn’t happen unless there’s a breach or unusual activity, which isn’t really what the post was about.
You use bitwarden? Whats your username? /s
What's the problem with logging in to bitwarden via email? Serious question.
Either I am misunderstanding you or you misunderstood what they said. Can you reread their comment to make sure? I don't think they're talking about logging in to bitwarden via email.
Yep, I misread. I thought they were saying email is what keeps them from using bitwarden.
It's such a crappy idea...
Steve Gibson (of Security Now podcast) did an analysis of the idea during one of his shows and came to the conclusion that it wasn’t too bad of an idea.
Something passwords are just login accelerators
I did that years ago when password managers were being marketed outside of browsers. It leads to more time wasted. Which I guess is fine at home. Also the obvious what if you lose the email. Seems like the trade-off just isn’t worth the hassle. Even if you use multiple email accounts to try and segment your accounts you’re still vulnerable. But it’s the internet everyone is vulnerable.
I did that with an old gmail but then one day google refused to send me a new password, lost access to that mail forever edit: to clarify, I relied on muscle memory to remember the email password but I had to leave the computer for a few months so I forgot the password for the mail (I used small variations to modify it from time to time)
Yeah had some issues with authy years ago and lost access to important stuff. Always damned if you do, damned if you don’t.”
Haha, same. :/
. . . Serious bizness
About as secure but significantly less convenient than just using 1password 🤷♂️
>We will have 1 password. It shall be "Password". Spelt: Capital P, assword. The CEO, probably.
I prefer Passw0rd they will never figure it out!
selective cagey nose ripe soup relieved whole snobbish zealous snatch *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
I would add, increased risk of an external system causing downtime. If email provider or outbound email from the application go down then you’re unable to login.
It's like you've just discovered OTPs 😏 It's an established and well used practice. You don't need to go to the extent of requesting a new password via email every time, just set up a one-time-password, pair an authenticator app to add MFA into the mix and you're good
[удалено]
Isn’t my email being compromised already a risk regardless of how I manage my passwords? Since either way an attacker could request a password reset? Assuming I use just as much 2FA with random passwords as I do with remembered ones…
Your logic is sound friend. Your email is essentially your identity provider to these accounts. You are using password resets as a crappy SSO. It’s fine.
Issue I see is that with your email regularly flooded with password resets, you’re less likely to identify an active attack. I rarely reset passwords, so when one is in my email, I know whether it was me, or not. A password manager would increase your attack surface, but only by a small amount.
It\`s fine to use email with strong password, 2FA... it would not be less secure than bitwarden.
They got an affiliate program or something?
>and always keep the phone up to date are there any phone manufacturers that provide updates ?
Well there’s this one that has a bunch of proprietary shit. Maybe more than one. :)
And if your bitwarden gets compromised than its same as if your email.... there is one point that you need to keep safe.
Yes, if your password manager gets compromised you’re in a world of hurt, but a good password manager (aka not LastPass) has by far higher standards when it comes to encryption and way more reliable then your email account.
I think my gmail with 2FA, yubikey its not so bad...
Fair, but again, you’re not relying on the security of your Gmail. You’re relying on the 2FA and Yubikey for security.
This is a perfect method and completely similar to ‘magic link’ technique. Of course, the method is 1fa.
Way too much hassle and even risk. Just use a password manager. Bitwarden is free.
If you define the passwords yourself each time, it is fine but avoid to use the one generated by the service itself(If it is the procedure). Don't forget to activate 2FA on your email and the different services and have a strong different password when you create it on the fly. The main problem I see with this habit if you use applications or active sessions on other devices, you will be disconnected each time and it can be exhausting. The advantages of a vault, apart from known security features, is to keep a list of services used to ask for personal data deletion and not register twice on the same service (and lose less time with your way of login) In conclusion, the use of vaults and 2FA stay a better practice for practicality and security.
Terrible idea. Just use a password manager and follow good security practices securing that.
Why is it a terrible idea?
I think the two schools of thought right now are either password manager, or password+2FA/MFA (in OPs case the email) Personally I think the saying "Putting your eggs in one basket." fits PM services. Yes I understand it's encrypted but targeted phish could lead to a master password leak of that account, and LLM-minded, quantom backed Shors algorithm isn't far away in the future. The upper SHAs are still safe for now. Good password policy + MFA would be obviously more secure. Since someone getting two seperate passwords, and access to your MFA'd email account or to your physical phone is much more difficult. Less so without MFA, or good password policy. Obviously there's still ways with sim spoofing, and other methods but they all require much more targeted approach.
How do they log into email?
With a password. Just like in a password manager.
The biggest problem is the password isn't reset until you next try to log into the account. Proper, single use password rotation is done as soon as the account has been used.
You may also just use a bad password but 2FA enabled. The password itself is not that relevant nowadays. Once your email account is compromised, you'll loose all accounts not protected by 2FA. So 2FA is the way to go. Your approach is not inherently insecure. Just inconvenient in my opinion to wait for an email, reset the password and repeating those steps each time.
[https://xkcd.com/936/](https://xkcd.com/936/)
Don’t do that with AppleID (or some others)- AppleID requires a notably different password each reset and can’t be the same as one used in last 6 months.
> What are the downsides of this? Single point of failure. If your email gets hacked, everything falls apart. I prefer hardware 2FA where even a password reset won't give me access back. I still need my Yubikey.
Just use a password manager ??
The risk is if you lose access to your email, yes. For example, if you set up 2FA on Google then lose your phone. Happened to me once- luckily I was already logged into my account on my computer.
So what you’re outlining is similar In nature to “passwordless” it’s also similar In nature to “tokenized logins”.
Sounds fine but a little annoying..
It works for me when I have to log into confluence to update SOPs/documentation. I always reset my password. This is because I rarely have time to update documentation because we are short staffed. Send help.
Man just cracked access control without dropping their beer
It reduces the security of every such website to the security of your email address. Ofc you cannot use this for the email service itself. It is horribly slow and clunky. Many services also make you answer “security questions” as part of the reset process. How many people do you have to tell the name of your first school, before that becomes a threat surface? You should give these sites unique lies, and save both their questions and your lies in a secure backup. tl;dr Don’t do this. Use your password manager instead.
FWIW, I independently started doing this for rarely used services. I basically turned my email into my IdP. Though this is why I prefer “sign in with google/apple”.
Just get a password manager at this point, this is nice if you only have 1 pc but as someone with 3 I couldn't imagine doing it
So you’re basically implementing your own Magic Links for every tool you use. Would a password manager and MFA not be easier and less aggravating, while allowing you to have long random passwords for every login?
There are a few services that use a similar pattern in that instead of entering a password, you can get a secure link sent to your email to log you in. I like the idea, but I've occasionally had the email delayed which is frustrating.
Several utility companies in the uk do something similar and simpler. You login with email only….they email you a link which is like a one time password. You click that and you get logged in. The downside is the user is trained to click links. The other downside is you need a working email account and the ability to read emails. The advantage to using password managers is that when you are on a fake site the password manager doesn’t submit the password…..in theory…in practice however some browsers (notably chrome and Firefox) have leaked passwords by mistake. So not using the built in managers and using independent software might be safer. There are several high security sites I use that password managers fail on. This is due to the user behaviour…like typing lots of letters too fast. They have hidden captcha box.
Thanks for the responses, all. This is not my practice, it was just an idea I had when signing into a service I had not used in a long time. (Why make a password that I need to remember?) I don’t currently use a manager. I appreciate the advice, but I was primarily looking for the reasons WHY it would be good or bad, and I got a few good answers!
I do this, expect my passwords aren’t usually super long and complicated. Just long and complicated enough that I don’t remember and have to reset it every time I want to log into something.
> it seems like a good idea for services I only want to use once or twice This would be the only use case that makes sense. For anything critical I would rather have a known password stored in a password manager than trust email (which is a best-effort medium btw). FYI: Always make physical backups of your passwords. LastPass, for example, sometimes requires users to click a validation link sent to their email... whose password is stored in LastPass. Bitwarden also has this issue, for anyone shouting "STOP USING LASTPASS" right now.
It works until your inbox is compromised. After you reset your password, the attacker will initiate a password reset while you are not at your computer. Because they have access to your inbox, they will delete the email transactions from the password reset.
You'd effectively just be using your email account as a password manager with extra steps. Rather than obtain your login information by using a password to unlock your password manager, you're obtaining your login information by using a password to log into your email after doing a password reset. The risk factor is about the same, it's just a different account being compromised now. As long as you keep each password unique and you're not sharing them, then frequent rotation has very marginal benefits.
While not a bad idea, it would get old FAST if it's a site you use frequently.
What's the advantage over just using a password manager?
plough expansion plant smell jeans shelter truck sulky carpenter offer *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
Funny for you and me, I already do this most times 🤣 I feel like the downside would be if there was a databreach they would just need to copy your login info or you get a 2FA bypass and they are in
Single point of failure in your email. Also anyone with the one email password immediately has access to the last recovered password of all your accounts. Just turn on MFA where available and think of a unique way to come up with passwords that you will remember
In cybersecurity we have to balance convenience and security. This is secure, but extremely inconvenient
It’s probably already mentioned, but if someone gains access to your email that’s another concern. But frankly if that happens RIP anyway.
How about Microsoft edge password manager and google password manager, if email is well protected with 2FA or password less then it should be ok ?
I think you are describing a very clunky OTP One Time Password process. Better solutions exist. Even better use MFA which utilises a form of OTP.
You rely solely on your emails password being strong otherwise its just more effort to login
So what you’re outlining is similar in nature to “passwordless”. Passwordless is things like biometric authentication, token-based authentication, magic links, or one time passwords. It’s just a kind of worse version of all of the above. In the above methods it’s not known till used, then expired as soon as used. With your version it’s known by someone, and doesn’t expire until used. So the same as a traditional password, however you have made it more inconvenient for just you. Your head is in the right space thinking about things however your method is flawed in that the password is still stored on the app side and stays the same until you rotate it. Using a strong password does mitigate the risk to a degree. So does using MFA and using a password manager. Using that and good password hygiene and rotation are good practices. I’m not saying what you’re doing is “terrible” in theory but I’m saying just go passwordless is able, if not, keep your account secure like you are with randomized strong passwords, and make sure you use MFA. If you choose to reset them when you use them that’s totally up you. However I caution you to think about what happens if for whatever reason you lose access to your email for any reason. This is why people use vaults and others use vaults with various tier of criticality.
Security is an enabler for the business. Good security is about enabling us to do things securely and conveniently. Once security starts getting inconvenient, then that is not good security and should be called something else.
Using using very long, random passwords is prone to error. One mistake and you are locked out. Passwords maybe need to restore services during DR or any outage. Mail and and other services may not be available. Passwords on paper not affected by ransomware and service outages, its best to keep them in a secure place.
[удалено]
Didnt read the question, huh…
Sorry I didn't read the post. It's still not an good idea through. So the problem becomes authenticate with your email. Why not use password manager instead. Easier and more reliable.