Forgot Password Considered Harmful

The "forgot password" buttons on every web service mean that if someone gains access to your email account, they also get access to every other account you have by just asking them all for password resets.

It also means that your email provider can hack all your other accounts at any time, since they already have access to your email.

This is a horrendous violation of common sense. We're always advised to "use different passwords on everything", but how much does that matter if you have one account that invalidates all your other security mechanisms?

This wouldn't bother me so much if it was something we could choose not to do. But the problem is that *none of us have any choice*, because almost no websites offer a setting to either disable password reset or encrypt the emails. Not even GitHub, a website specifically for programmers and that *already allows you to set public keys on your account!*

It is *basic* security practice to let users either disable password reset or provide a public key to encrypt the emails with. Having password reset without a feature like this is worse than storing passwords in plain text. Even bloggers who write great stuff about security go on to make web services that effectively accept your email password as an alternative to the one you set, and there's nothing you can do about it.

I've noticed it getting even worse in the years since I first wrote this. Many websites, if you log in under certain circumstances such as from a new IP address, refuse to let you in without going through an email or phone verification process. This is a disturbing trend: not only is access to your email account *sufficient* to access all your other accounts, it's also *necessary*. Passwords are becoming useless, phased out in favor of your email provider being your fucking custodial guardian.