{{< partial "deadly_cuts_head" >}}

*We sent an email to youremail@your.com*

🤦🏻

*I loathe Medium*, not least of which for popularizing the "magic link" pattern in 2014.

Their rationale—passwords provide a worse user experience than email, as most people click "forgot password" anyway, so why not skip the middleman?

*No, it's not a worse experience.*

I have a password manager, and I press `Cmd-Shift-L`, and Bitwarden happily fills it in. I can even use auto-fill if a website plays nice. But, not with websites that *ONLY* have ***Massive-Pain-In-The-Ass Links™️***. I don't want to open my phone or email client to copy a code.  Especially if I can't paste the code because a destroyer of webs never took HTML Forms 101.

Thanks to Medium and hundreds of other foolish lemming companies that followed their advice, my inboxes are spammed with sign-in codes.

*Thanks, Medium.*

## OAuth & SAML 🤬

Claude estimated **~30 million developer hours spent on OAuth confusion** alone. Security Assertion Markup Language (SAML) is even more confusing and probably burned more developer hours.

Every day, I have to fumble through different OAuth experiences as a user. Add an email address and wait for a ***Slow AF Redirect™***...

Next, enter the username and password, then wait again.

How many millions more hours are burned on these technologies per day?

## Your Password Doesn't Meet The Requirements

Passwords are better than ***Massive-Pain-In-The-Ass Links™️***, but companies *LOVE* password requirements as a torture device.

* At least 1 more or fewer characters than you entered
* One more capital letter
* Lucky you, more than one F or U makes your password disappear from your mobile device
* …and my favorite, no @!#?@!

![](images/qbert.png)

## Held CAPTCHA 

***Massive-Pain-In-The-Ass Links™️*** are an annoyance runner-up to CAPTCHA. I'm not a fan of violence, but whomever thought this was a good idea needs a beating.

_Prove you're a human by entering [the following text](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags/1732454#1732454):_

Ë͖́̉ ͠P̯͍̭O̚​N̐Y̡ H̸̡̪̯ͨ͊̽̅̾̎Ȩ̬̩̾͛ͪ̈́̀́͘ ̶̧̨̱̹̭̯ͧ̾ͬC̷̙̲̝͖ͭ̏ͥͮ͟Oͮ͏̮̪̝͍M̲̖͊̒ͪͩͬ̚̚͜Ȇ̴̟̟͙̞ͩ͌͝

And who doesn't love preparing for the impending robot uprising while proving you're not a robot?

![](images/machine_learning_captcha.png)

**Credit (xkcd):** [Machine Learning Captcha](https://xkcd.com/2228/)

## Solutions

The new darling of the software development community is the [Passkey or (FIDO2/WebAuthn)](https://fidoalliance.org/passkeys/). I highly recommend trying this out if you haven't already. Biometrics is another passwordless option, though it's less convenient if you're using a keyboard without a fingerprint reader. If you're on someone else's machine, it's also inconvenient, so be ready with a [YubiKey](https://www.yubico.com/) or your phone's camera.

There's no perfect solution, but hopefully we'll see less and less of these monstrosities in the future.

{{< partial "deadly_cuts_footer" >}}