Passwords can be leaked by sites in a number of ways; to avoid the risk
of doing that ourselves, we don't use them — we can't leak what
we never had in the first place!
Instead, the site will send you an email with a special link that, when
clicked, will log you in. This link:
- is only valid for 1 hour
- can only be used once
- can only be used in the same browser session
- will only be sent to the email address registered with your username
Is this secure?
Yes! Accounts are most commonly compromised because they either re-used
a password that was leaked elsewhere, or used one that is
easy for an attacker to guess. With the rapid proliferation of internet
accounts we all have, it's almost impossible not to do either (or both!)
of these things (unless you use a
password manager
— which you should!). We avoid contributing to the problem by
creating a very-hard-to-guess password for you and emailing it to you
in an easy-to-use format; all you have to do is click the link!
Isn't this less secure than a password?
No! If you think about it another way, this is no different than if you
have forgotten your password on most sites: They send you an
email with a special link in it that, when clicked, allows you to change
your password. Effectively, your email is already the "gateway" into a
lot of your online accounts anyway.
But isn't email insecure?
Yes, it is! Which is why you should never use email to send private
information like passwords. To address this, we give the emailed
link an expiration time, as well as "lock" it to the same browser
session so that only you can use it.