Going passwordless with NilPass

I want to make this abundantly clear: while the presentation I have on the landing page is designed to sound like a joke, I am completely serious about using NilPass instead of a password manager like LastPass.

Auth0 published a blog post just a couple of days before I set this site up, all about how "passwordless login" is a better approach to authentication than the traditional password-based authentication most sites offer today. I loved that article, and it's certainly not wrong, but it only goes so far, as it was written from, and for, the perspective of a developer. This perspective gives little to no thought toward this in terms of enfranchisement of any users.

The thing is, while actual "passwordless login" in the form of an emailed link that in no way engages with passwords has been a slow-to-catch-on feature, the reality is that most sites already have a mechanism that allows us to log into the site with only an email and no password: the "I forgot my password" recovery system, whose presence has been nigh-on ubiquitous in the user account systems of every site I've interacted with, for at least the last decade.

The only problem in using password recovery mechanisms as a form of authentication lies in the way that most of them require the user to choose a new password when they visit the reset page. If there's any password on the account, it means there's a second way to gain access, on top of the passwordless email entrance. If there's no way to truly altogether disable passwords as a vector for access, the next-best solution is to fill it with enough random data that the odds of stumbling upon the ineliminable password are vanishingly small (ie. so that it would take thousands of years to randomly guess it).

Unfortunately, humans are notoriously bad at picking strong passwords, even if they're trying to be completely random. Not only are there deep biases when humans just try to create a random sequence at all (here's another demonstration you can try for yourself), but it's compounded by the way that most password input forms require the user to come up with a reproducible password that they must prove by entering it, from memory, twice.

Enter NilPass. NilPass handles only the generation of an adequately-strong password (its generator is literally just 80 crypto-random bits encoded alphanumerically), and, rather than putting effort toward persisting some means of re-using this dead-end authentication token, NilPass is carefully designed to ensure that the password will become unusable shortly after authentication: even if the user forgets to dispose of it, the password will be eliminated automatically, after a set period of time. Essentially, in the NilPass model, passwords are seen as a legacy artifact, one that must be as thoroughly obscured as possible, so as to leave them effectively eliminated (similar to the approach taken by modern email clients to MIME boundary strings).

So yeah, that's the serious design rationale I put into NilPass. Feel free to contact me on whatever with your thoughts.

Stuart P. Bentley, April 1, 2017