If websites generated passwords for their users, it would fix so many problems.
- Keep users from reusing passwords.
- Keep users from using weak passwords.
- Remove the anxiety of creating passwords.
- Show people they don’t need to remember every password.
- Be less complicated than doing 2FA.
- Be easy to write down.
- Speed up and make the sign-up process better.
- Create fewer support tickets.
- Create herd immunity.
- Work the best for the lazy and people who don’t care.
- Help lower liability.
It Removes Anxiety
When you generate passwords for users you remove the anxiety that comes with password requirements. No more entering 5 different passwords until you create one the website likes.
The less you require people to think when creating an account the less anxiety they have and the quicker they start using your service.
But People Won’t Remember Them?!
The biggest critique I get is that users won’t remember the generated password.
That’s the problem; people are trying to remember passwords.
The average user has over 100 passwords, and it’s increasing every year.
That is over 100 different passwords following 100 different password requirements. It’s no wonder people hate passwords, trying to remember all that is not possible.
No one expects you to remember phone numbers anymore as we have contact apps, so why are passwords any different? Why are we keeping people in the mindset that they need to remember all their passwords? The problem is not the password but the archaic way we train people to keep passwords.
It’s Not 2004 Anymore!
You can’t use the internet without a web browser, and every web browser offers to save passwords for you. Not only do they save them, but they also autofill them.
For the paranoid or less skilled, you can still write down the password. Writing the password down in a book is far better than reusing the same or similar passwords.
The problem of storing passwords has been solved for years. You can store passwords in your browser, password manager, text file, spreadsheet, or even in a physical notebook. Anything is better than reusing passwords.
2FA Is Not The Solution
90% of Google users don’t use any kind of 2FA. That is because the average user finds 2FA complicated.
Also, 2FA is not an excuse to reuse passwords. Yet that is how many users are treating it. If you’re using 2FA so you can keep using your bad password, you don’t have 2FA anymore and purposely defeated the whole point of having TWO factors.
The users will keep using their bad and reused passwords at more places, and further increase their attack surface. If Ring had generated the passwords for their users instead, they would solve their problem, have fewer steps to log in + sign up and lower the attack surface to their customers too.
It’s also easier and more cost-effective for a company to generate the passwords for users than to implement 2FA of any kind.
You also have the privacy issue that comes with SMS 2FA – but that is why many companies do 2FA. They don’t want to better protect your account; they want another data point to give to advertisers. If they cared, they wouldn’t allow password resets via SMS.
Generating Passwords Is Simple
People think generating the passwords for users would look like “KekYRJiMk8tp?WMD4?B+” which is not the case.
A passphrase like “glimmer splendor patio salvation” would be fine. A passphrase is simple to write down, less likely to mess up, and simpler to understand than the crazy password rules so many sites have.
A website could go down to 3 words instead of 4 if they do proper brute-forcing protection and peppering of the passwords. Even if an attacker got ahold of the password hash doing proper peppering would make it costly to crack with no cost to the user.
You could also do 2 random words and insert a random number somewhere random in the two words.
Example: “salo8nreturn”, “trapezoidunderdo23ne”, “letter671reflux”.
Not only would an attacker need to guess the two words but also the number and where that number is located – the problem is exponentially worse for them but also easy for the user to write down. A cracking tool would need to crack each character at a time due to the randomness of where the number will be and what the number is. At 1 trillion guesses per second, a 14 character long password like this would take 97 years to crack. At 15 characters long, it would take 3,500 years to crack.
Speeds Up The Sign-Up Process
Generating the password would also speed up the sign-up process. You won’t need to try 5 different passwords until the site is happy with the one you’ll forget anyway.
When you sign up, the website generates a password for you. The website can either allow you to print out a page with the password or offer the user a PDF of it. You take that print out and put it in a binder full of your passwords.
Older generations understand this and would benefit hugely from this style of password saving. The younger generations will just save it in the browser or password manager or print it out too. Throw in a QR code, and it could make logging in on Mobile even easier.
Generating the passwords would also get people in the habit that every website should have its own unique password. People think they need a strong password when in reality, they need unique passwords for every account.
You can have a 100 character “strong” password, but it’s only as strong as the weakest sites you reuse it on.
This would also make them more likely to take password storage more seriously too.
Fewer Support Tickets
Tickets for the help desk will go down. Someone forgetting their password is simply that, they forgot because they kept it in their head.
If you’re having your users write down or save the password, the less likely they’ll forget their passwords. You can’t forget something that is not in your head.
The help desk would also avoid the users who don’t seem to get password requirements. No more users telling you they used an uppercase but come to find out they used “uppercase numbers” instead. Yes, I’ve run into people saying they’ve used “uppercase numbers” before.
If all users are using unique passwords, you have herd immunity to many attacks.
No point in attacking a service to get the passwords if those passwords are not good anywhere else.
It would also help against credential stuffing attacks on the server as no user is reusing passwords. You also avoid the simple passwords that far too many people use too.
Perfect For The Lazy And The People Who Don’t Care
This method also is the best for the lazy and the people who don’t care. You can’t get any lazier than someone doing something for you like generate the password.
And if you don’t care, you can do what you always do, nothing. If you choose not to let the browser save it for you, which many do automatically anyway, you can always later go to the password reset link and get back in.
A Bad Generator Is Still Better Than Reusing Passwords
There is the issue of a service using a bad password generator, but even then, that is not a huge issue.
Even if you use a password generator that gave every 1 in 1,000 people the same password, it’s still better than those people using the same password they used on other websites.
If the password generator was predictable you would also need to predict the order and time users signed up. The order and time people sign up are naturally random which makes a predictable generator random again.
Once again, it’s not 2004 and doing proper random generators is not hard. A website would have to go out of their way to screw it up. Not saying it’s not possible but I wouldn’t let a small chance keep most people safe.
The Issue With Liability
Disclaimer: I’m not a lawyer.
You also have the downside of liability. If someone’s account gets hacked, they could sue you because you forced them to use a password they did not create.
The reality is that people can sue you for anything, and people still do sue even when they get to make their own passwords. After Ring’s “hacks,” they have a class-action lawsuit against them, and they allowed users to pick their own passwords.
At least if you’re making the passwords for the users, you’re lowering your chances of them reusing passwords or using something simple. You’re damned if you do and damned if you don’t. The lesser of the two evils is to generate the passwords for the users to remove the chance they screw themselves over like with what happened to Ring.
What If I’m Not Near My Password Book?
Another con people tell me is “the what if” they don’t have their password book?
After having a password manager and giving every account a unique password, I’ve noticed how much this is not as big of a problem people think it is.
If it’s a password you use all the time, you eventually remember it or place a note in your wallet, or use a password manager app.
Sure, there might be that one time you’ll need for some reason to log into your bank while at a home loan closing, but I wouldn’t let something that you’ll maybe do once in your life keep you from being more secure.
What could be so important that it can’t wait till you get home or call someone?
The people who make this argument are looking for a 1% problem to keep them from solving 99% of their issues.
What If Users Reuse That Generated Password?
An argument I get against generating passwords for users is that the user will think this password is strong, so they’ll reuse it in other places.
It’s a fair argument but also shortsighted.
If you have a user who loves to use “Fluffy123” for everything and one day, a site generates the password “bleep subatomic untainted swimming” do you believe that the user will give up using “Fluffy123”?
Let’s say the user does give up using “Fluffy123” and starts using “bleep subatomic untainted swimming” they would run into many websites that will reject this password because it’s either too long, lacking a special character, number, or uppercase.
The great thing about this problem is that it naturally fixes itself over time. The more websites that generate passwords for users, the fewer options the user has to reuse passwords. The more sites that generate passwords for users, the more it trains people for the right mindset that passwords are meant to be stored, not remembered.
People reusing generated passwords an issue? Yes, but I wouldn’t cut off my nose to spite my face.
What Should Websites Do?
Should every website generate passwords for its users?
No, expecting them all to do it is not possible.
There are websites that should strongly consider it. Ones like security cameras come to mind as we’ve seen from the whole Ring “hack”.
The best approach will be what WordPress does.
WordPress generates the passwords for the users but they also give you the option to enter your own password. While entering your own password is not obvious it’s better to go this route to better protect the masses.
I would go the route of using passphrases like the picture below instead of random characters that WordPress uses.
Did you know: WordPress powers 1/3rd of the internet? There is already a lot of people who let a website generate the password for them since 2015. Yet, no one complains about it. Everyone I meet against letting websites generate passwords for users is not able to answer the lack of users complaining that WordPress generates passwords for them. I have friends who know nothing about building websites using WordPress and not one of them complains about how WordPress generated the password for them. If anything, they brag about having this long password as if it’s a competition.
My theory why no one complains is because the strength bar is still shown. If you generate the password and the strength bar says it’s strong it’s reassuring to the user. People like being told what to do and the strength meter reassures they’re doing everything right.
Take A Clue From TOTP 2FA
I made mention that websites could let users print out a sheet that contains their password and username. For many users, they trust and understand paper a lot more.
I also mention adding a QR code will make logging in on mobile easier. I get this idea from TOTP 2FA.
TOTP is a form of 2FA that uses a QR code to save the secret. TOTP combines that secret with the current time to give you a 6 digit code you use to login to websites.
The best part to me is the QR code. With a QR code, it’s easy to transmit information to a computer with a camera from the non-digital world. Here is the data that is stored in a TOTP QR Code.
This string tells us the website name, email address, and the secret. What is interesting is that the secret is simply a randomly generated password. That is what gives TOTP 2FA it’s strength, not the ever-changing code. If we allowed users to make their own secrets in TOTP we would have the same issue we have now with password reuse.
If we followed the same format we could use it for logging in or saving passwords on our phones. Just like scanning the QR code for TOTP 2FA you have the users scan the QR code for their new account and let the iPhone, Android or password manager store the password for them.
Or if the user prefers they can keep it in paper form. With the QR code, it’s easy to interchange them.
The string inside the QR code could look like this.
passauth://firstname.lastname@example.org&secret=disk anything thrash parsley
The printout could look like this.
Clearly I’m dreaming here as this will more than likely not happen. But I still need to put it out there because you never know what ideas could branch from it.
Some people may not know this but your smartphone is already equipped to read QR codes natively. Go ahead and open your camera app on your phone and hold it over the QR Code below to be taken to Google’s homepage.
Here is a video showing you how to use QR codes.
What About WebAuthn Or Other Password Killers?
We’ve been trying to kill passwords for decades.
In 2004 Bill Gates predicted the end of passwords, and yet they’re still here.
We have promises of WebAuthn and many others, but they seem to never go anywhere. The biggest reason why these options don’t go anywhere is because they’re not as simple as passwords.
People get passwords. We have smart people working on great tech like WebAuthn, but these smart people forget about Nana who will never grasp the concept, but she does get passwords.
We would be better off evolving passwords into something better. Generating passwords for users doesn’t require much change in how websites are set up now, unlike those password killers. And people don’t have to learn any new tech or buy an expensive fob.
Sometimes the best solution is the easiest one.
Once you get people used to the evolution of generated passwords it will help to bridge the gap to things like WebAuthn. Jumping right to WebAuthn will be too much of a leap as people’s mindsets for such things is not there yet. It’s like trying to teach a caveman how to drive a car – let’s get him used to riding a horse first.
The Number Of Passwords Are Only Going To Get Worse
Passwords are a fact of life for the foreseeable future. They’re not going anywhere, and people will keep gathering more and more accounts that need passwords.
We, as a society, are better off generating passwords for users to get them in the correct habit to better secure everyone as a whole.
Am I Wrong?
If you think I’m wrong I would love to hear about in the comments below. Maybe I’m missing something?
Need A Password Manager?
Here is our picks for password managers.
1. 1Password - Best all-around.
2. Bitwarden - Best free option.
3. Dashlane* - Best for new users as it holds your hands more.
4. Roboform* - Featured packed and been around the longest plus a free option. The only one with a bookmark manager which I've found useful lately.
*May receive a commission.