Passwords are terrible.[0] At least 65% of people reuse passwords, either on multiple or every website they regularly visit.[1] And most of these passwords are poor[0], often composed of entirely numbers, common words like "password", OSINT like DOBs or pet names, or whatever the simplest password is that passes the website's arbitrary "strength" designation. Not only are there better ways to get people logged into your sites, these methods are faster, and simplify the back-end. Unfortunately, this system doesn't entirely eliminate the use of passwords, but significantly decreases their usecases and subsequently the threat posed to their data. A password (passphrase!) should only be used for a password manager[3], to secure their keys. The password manager's database can then be kept entirely locally and strongly encrypted. Doing it better =============== When a user wants to create an account on your website, randomly generate them a key for them to login with: import os def generate_key(): return f'0x{os.urandom(16).hex()}' ... is enough: /dev/urandom is designed to be uniformly random.[2] So, given there are 2^128 possible 16-byte sequences, the chance of two users being given the same key is approximately 0,00000000000000000000000000002938735877055719%. For comparison, there are ~2^160 possible SHA-1 hashes. And for prosperity, you'd need to be struck by lightning 2.448.946.564.213.099.300.000.000.000.000.000.000.000 times to generate the same key twice. But - applying the birthday problem, about 18.446.744.070.000.000.000 people would have to sign up to your website for there to be a 50% chance of a new user being given the key of an already existing user. So such a simple function is more than enough. Flow ===== Using this key system is not disimilar to using a traditional password system for either party. * When a user clicks "sign up" on your website, generate a key and give it to them. Server-side, store this key like a password - hashed. Additionally, preferably, suggest the user to store this key in a password manager. * When a user clicks "login" on your website, ask them for their key, and compare it to your database in the same way you would a password. * A user has accidentally leaked their key and must change it. Solution: give them the option to generate a new one. Additionally, two-factor authentication can be used, as it would be with a password-based system. Strengths of a key-based system =============================== 0. Keys are unique-by-design: There is no opportunity for an end-user to re-use or create a weak password, because they're given one. 1. Keys are consistently secure: A key is a key is a key. There's no requirement for different websites to implement their own password strength checks because keys are always equally (very!) secure. 2. Keys encourage password management: '0xf500653d66aa14fe7bc1af256b6034ad' is unweidly for an end-users 'notepad of passwords', encouraging them to secure their password with a password manager. 3. Keys are easily written digitally: For websites with mobile apps, a user's key may be written to a QR code to be scanned by the user's device, providing a seamless login process. 4. Keys are easily generated: Many programming languages provide, if not in their standard library, cross-platform CSPRING perfectly suitable for generating keys. 5. There is only key: Users needn't remember a username and password for every website they visit, they instead must only store a key. 6. Keys are easy to reset: If a user forgets or exposes their key, a new one can be generated. Easy. 7. Exposed keys quickly depreciate: If user keys are stolen in a database leak, upon those keys being reset, the database leak holds no value - a user can't reuse keys across websites. 8. Databases are strengthened by storing keys: Many users' passwords may be easily cracked given they are weak, but a hashed 16 bytes of pure randomness places brute-forcing well out of reach. Strengths of a password-based system ==================================== 0. Passwords are memorable and easily typed: keys' randomness is its greatest strength and deepest flaw. Passwords - passphrases - are irreplaceable (by keys) for physically logging into devices, for example. In Practice =========== A system similar to this is used by the Mullvad VPN service.[4] [0] Exactly 86% of Have I Been Pwned?'s database was analysed (cf. https://www.troyhunt.com/86-of-passwords-are-terrible-and-other-statistics/) [1] https://services.google.com/fh/files/blogs/google_security_infographic.pdf [2] https://tools.ietf.org/html/rfc1750 [3] https://keepassxc.org/ [4] https://mullvad.net/