For my next web site, I intend to try something
extraordinary special plain weird. I will go down the security-through-obscurity approach to user accounts and logins.
It’s an idea I have had for a while, and I’m sure that it’s been implemented elsewhere in various shapes and forms, but I figured that I will give it a go. And I’m only considering it because the web site I’m thinking of building will not hold any mission-critical, sensitive or otherwise volatile information.
The idea is simply this: Abandon logins and use a unique id/hash/token/whatever-you-want-to-call it. So basically, you go to the website and say “Hey, I want to create an account, here’s my e-mail address!”.
What the website will reply is simply:
We have created an account for you. Go here to start using our service:
Yes, the only thing you need to login is the URL. Make sure to bookmark it so that you don’t forget it. And in case you forget it, the service will have e-mailed it to you.
The advantages? No need to login, just visit the site and start using the service. No need to remember passwords. Just visit the URL and you’re off!
The disadvantages? Others can guess the URL and “hack” you. But they are unlikely to suceed for a good while. And if they do, it’s just non-mission-critical, non-sensitive, non-volatile data that they get a hold of anyway. In my case, I imagine something like an RSS feed reader or something similar.
What happens if you accidentally lose your unique URL? Well, the service has your e-mail address, so it can easily send it to you.
For a service where I would like to share data with other people, it would be totally feasibly to generate other unique URLs for those users that will lead to the same account data, but with different access levels.
I don’t know… Could it be stupid enough to actually work? I will try it some time to find out.