Since we launched 404 Media one of the most common feature requests we’ve received from readers is the ability to log into the site with a username and password, as opposed to the magic links used by Ghost, the open source publishing platform we use for our site and newsletters.
If you don’t have a 404 Media account, here is how magic links work: Rather than enter a username and password to register for our site and log in, you give us your email. We then send you an email with a link that you click, which logs you into the site. That email also comes with a URL you can copy/paste into the address bar of your browser of choice for reasons we’ll get into in a minute. That’s it. As long as you remain logged in you never have to think about this again, and if you are logged out or want to login on a different device you just repeat the same process.
We find this to be a much easier login process and wish it was more common across the web where appropriate. But there’s a much more important reason why we have embraced Ghost’s login method and are not in a rush to develop our own solution for a username and password login in the same way we invested time and money in developing full text private RSS feeds for paying subscribers, for example. The gist is that it’s safer for us and for you to not share any passwords with us.
It’s impossible to say what the exact number is, but a huge portion of cybersecurity breaches start with compromised credentials. There are a few ways hackers can compromise your passwords, many of which Joseph has covered on 404 Media recently, but one common method is exploiting the fact that the majority of people reuse their passwords across the internet (a study of 28.8 million users found that 52 percent of them reuse passwords). This is why it’s much safer for people to use password managers that generate unique, strong passwords for every account, and why Have I Been Pwned is such an important resource—by keeping track of sites and services that have been hacked, it acts a constant reminder to use a different password on every service. Otherwise, a hacker could take your password from that random forum hack, and then use it to break into your workplace account, or whatever other account shares that password.
It is standard best practice for sites that ask for your password to hash it, meaning even if a site got hacked, hackers can’t just run off with your password. However, that is not always the case, with some companies storing passwords in plain text, and depending on what hashing algorithm the site has used, hackers may be able to crack it.
But you know what’s the safest way for us to keep your password safe? Not asking for one to begin with. By not creating a password with us you have no risk of it leaking, and we don’t have to deal with the responsibility of keeping it secure. The sign in link is going to your email, which presumably is protected with two-factor authentication, if you have it set up (which you should!).
“The main reason (as you know!) is security,” Ghost CEO John O’Nolan told us when asked about the company’s choice to use magic links. “Passwords get hacked all the time, but they can’t be hacked if they don’t exist. Then what I would usually add to that is how this allows a small team like 404 to spend less time managing security administration, and more time investing in bringing you stories you care about.”
That being said, we want to acknowledge that the magic link system isn’t perfect because no system is. We also understand that some people don’t like the magic link system or have extenuating circumstances where it does not work for them, and would prefer a password system. We’re writing this article in part to explain our thinking behind having the magic link system and to explain why a password system is not currently feasible for us.
We have, on a couple of rare occasions, heard from users complain that the emailed links take a while to come in. This almost never happens and when it has we’ve seen it resolved within a few hours. More often than not, users will sign up to our site via a work email with aggressive security or content filtering rules that block our emails. If you ever think that might be the case for you please reach out to support@404media.co, but also keep in mind you are always free to change the email associated with your account to a personal email address. We want to make our articles as easy as possible for subscribers to access, which is why we set up private RSS feeds that don’t require a login to read our stories.
Probably the most common problem people run into with magic links is they think they have logged into the site on their normal browser, but they’re actually logged in through an in-app browser. For example, someone might receive the login link to their email. They open up the Gmail app, click the “Sign in to 404 Media” button, and their phone loads the webpage. But this is loading the website in Gmail’s web browser, not your native Safari one. People then navigate the site as they would normally in their default browser, and are surprised when they are not logged in. These two browsers are not sharing any cookies or log in sessions.
It’s annoying when apps open stuff in their own browsers rather than the phone’s native one. This is a more fundamental design issue with how many apps or operating systems work. A solution on iPhone is when receiving the login link, click and hold the “Sign in to 404 Media” button to bring up the contextual venue, and hit “Open Link.” This will open the link, and sign you in, on your native browser. Or, copy and paste the sign in link which is also in the email. Regardless, we recommend you login to 404 Media wherever you expect to read it.
We totally understand that this is a frustrating experience, and frankly a flaw with the mobile web in general. But we also recognize that for a lot more people, not having to remember or save a password is the easiest, more preferred, most secure option we can offer right now. The benefits of the magic link system outweigh the costs, both to us as a small business, and to our readers who are privacy-conscious.
Ultimately, it is much safer for us, and for you.
