Every now and then someone in my family complains about not being able to log in somewhere. The reason? They forgot their password. Whenever this happens, I then have to help them reset it. This usually does restore access, but it does not solve the underlying problem: passwords are not and never were user friendly.

Why are Passwords so difficult?

Early on the web, passwords were a simple way to authenticate users. You pick a secret, something only you know, and use it to prove your identity. This works as long as nobody else can guess or steal that secret.

Over time, attackers got better at doing exactly this. Large password leaks became common, and computers got fast enough to try millions of guesses in a short time. As a result, websites reacted by creating more and more rules for passwords.
Suddenly you needed at least 8 characters, a mix of uppercase and lowercase letters, numbers, special characters, and sometimes regular password changes on top of that.

Understandable from a security point of view, but not very friendly for actual people.

NIST later adjusted its guidelines, recommending longer and more memorable passwords instead of short, complicated ones. But many services still follow the old rule sets. Faced with these requirements, people often fall back to predictable patterns like “Summer2023!” or small variations of old passwords. This makes them easier to remember, but also easier to guess.

To compensate, the industry introduced 2FA and password managers. These help, but they also make the whole login process more complex than it used to be.

A Better Way Forward

There are several alternatives to traditional passwords. Some are more secure, some more convenient.

Hardware tokens, like YubiKeys, are very secure because they rely on physical confirmation. Without the device, logging in is not possible. They work well, but carrying a separate device for every service can feel like a burden.

Passkeys are a more user-friendly option. They work with the devices people already use. A passkey is stored on your phone or laptop, or synced through services like iCloud Keychain or Google Password Manager. Logging in becomes as simple as using Face ID, Touch ID, or your device PIN. Because passkeys rely on cryptographic pairs that stay on your device, they cannot be reused across services and are resistant to phishing.

Some Middle Ground

Sadly, support for passkeys is still limited. Many services have not adopted them yet, and some existing authentication tools do not support them well. In my own projects, I often use email-based one-time codes as a simple alternative.

Email codes are not perfect, but they are easy to understand. Users request a code when they want to log in, and developers do not need to handle password resets. The email provider also takes care of account recovery – not ideal, but better than a separate recovery process for each and every app and service.

Once the authentication service I use fully supports passkeys, I can integrate them without changing the general login flow.

Note: I am aware that social logins (like “Log in with Google” or “Log in with Apple”) are another popular alternative to passwords. However, I personally don’t implement them in my projects, as they often lead to vendor lock-in and also require additional systems for users to manage their authentication methods.

Conclusion

Passwords have been part of the web for decades, but they were never a great fit for how people actually use technology. They are easy to forget, easy to guess, and often the weakest part of any login system.

Newer methods like passkeys or hardware-backed authentication solve many of these issues by removing the need to remember anything and by making phishing much harder. These systems are not perfect and not yet supported everywhere, but they clearly point in the right direction.

Until they become more widely available, I’ll keep using simple and understandable approaches like email-based codes in my projects. And yes, I’ll keep helping my family reset their passwords — but hopefully not forever.