Why just passwords?

Why does Kinopio have only password based login?

Because all the other options are worse

Let's go through them:

Password-less auth with an emailed token

(like notion and slack) is much easier to implement but the sign in process can be very annoying for users.

E.g. you go to sign in, but now you've got to open up your email app get emailed a link to sign in but your email client opens a different or embedded browser so now you have to copy and paste a thing into another thing.

Sign In with google/facebook/github/hell

Signing in with third party oauth providers is the easiest thing to implement, and gives you 2FA for free.

But in exchange for that convenience, you're giving over user data to big tech corps and the advertising-industrial complex that's ruining the web, and damaging democracy.

Also you can't just do one of them because someone will inevitably tell you that they don't have a [facebook] account. So you're sign in screen ends up looking like a rainbow colored mess of corporate logos, and the user has to remember which of these services they used with your particular service.

And lord help you if they sign in with a different one later and think that their data has disappeared.

Because browser password managers

A lot of old advice about avoiding requiring passwords because users will make their own (bad) ones is still true, but mitigated a lot by password managers - especially the ones built into browsers that autosuggest passwords.

Password managers also make signing back onto your service effortless.

Yes, storing passwords sucks

Ideally it's a liability I wouldn't need to have. But off the shelf encryption packages and best practices like rate-limiting are widespread and documented well-enough that I can provide a high degree of safety around them.

I also prevent users from making passwords less than 4 characters long, and disallow passwords that match a part or whole of the email address. (which I'm told is very common user behaiviour sadly)