https://blog.danielh.cc/blog/passwords

Skip to content
Blog - Daniel Huang
Main Navigation To website
Return to top
On this page

We replaced passwords with something worse  

Too many services have been using the following login method:

  * Enter an email address or phone number
  * The website will send a 6-digit code
  * Use the 6-digit code to log in

Please stop.

This is terrible for account security:

  * An attacker can simply send your email address to a legitimate
    service, and prompt for a 6-digit code. You can't know for sure
    if the code is supposed to be entered in the right place.
    Password managers (a usual defense against phishing) can't help
    you either.
  * In fact, this attack method has been successfully used in the
    wild: Microsoft's login for Minecraft accounts use this login
    method, and many accounts have been stolen already.

All Blog Posts

  * We replaced passwords with something worse
  * PATH isn't real on Linux
  * Stop using e for compound interest
  * From hours to 360ms: over-engineering a puzzle solution
  * Your voting system doesn't work
  * My favorite classes at UMD
  * Accidentally writing a fast SAT solver
  * Same numbers, different things
  * I don't use LeetCode, and you probably shouldn't either

Have any questions or feedback, or just want to say hi? Email me at
[email protected]!