Photo by Markus Spiske on Unsplash

Last Tuesday, I needed to access my streaming account. I'd forgotten my password—not exactly a rare occurrence in a world where I'm supposed to maintain 47 different login credentials with varying complexity requirements. I clicked "Forgot Password." And that's where my afternoon went sideways.

What followed was a sequence of events that would make airport security look streamlined by comparison. First came the email verification. Fine, I checked my email. Then it asked for my phone number to send a code. I provided it. Then—and this is where it got absurd—the system asked me to verify my identity by answering security questions I'd apparently set up three years ago and had completely forgotten.

The first question was: "What city were you born in?" I typed it. Wrong answer. Apparently, I'd entered "Chicago" back in 2021, but the system's verification was case-sensitive and had somehow corrupted my answer into "chicago" with a lowercase 'c.' I wasn't told this. I was simply denied.

This isn't just my experience. It's become the industry standard, and it's infuriating.

The Security Theater That Punishes the Innocent

Companies justify these elaborate password reset procedures under the guise of "security." They'll tell you it's to protect your account from hackers, to ensure that only the real you can access your data, to safeguard your sensitive information. Noble reasons, absolutely. The problem is that this security protocol works great for hackers and terrible for actual account owners.

Think about it logically: A hacker who's determined enough to attack your account probably has access to more of your personal information than you do. They know your mother's maiden name because they bought it from a data broker. They know what city you were born in because it's publicly available on social media. They've got your phone number from a previous breach. Meanwhile, you—the legitimate owner—can't remember whether you spelled it "Spokane" or "Spokain" when you set up that ridiculous security question in 2019.

The verification process often includes methods that are actually less secure than they appear. SMS codes, for instance. Hackers can intercept text messages or trick your phone carrier into rerouting them. Security researchers have repeatedly demonstrated this. Yet companies continue to rely on SMS as a "trusted" verification method, mostly because it's cheap to implement and gives them plausible deniability when things go wrong.

What we're really dealing with here is security theater. It looks secure. It feels secure. But it primarily punishes legitimate users who simply forgot their password, while determined bad actors can often find their way around it.

The Purposeful Friction Is a Feature, Not a Bug

Here's what really gets under my skin: I suspect a lot of companies actually want password resets to be painful. Not for security reasons, but for profit reasons.

When password reset becomes such a nightmare that users give up, those users stay locked out of their accounts. They can't use the service. Some eventually create new accounts with new passwords (generating more data for the company). Others forget about the service entirely and stop using it—which, if they were a paying customer, means the company just lost them without lifting a finger.

But here's the kicker: If someone is sufficiently frustrated during the password reset process, they might call customer service. And guess what? Many companies charge for premium customer support. Or they'll live chat you in circles for 45 minutes while you repeat the same information five times to five different chat representatives, each starting from zero because the company won't invest in basic communication infrastructure.

I've seen password reset processes that require you to verify your identity using information that was last updated when you were 22 years old and lived in a completely different state. Your phone number changed in 2015, but the system still expects the old one. Your security question asks about your childhood pet, but the company's database has somehow stored it incorrectly. You're locked out, frustrated, and increasingly likely to just abandon the account.

This isn't accidental. This is what happens when companies prioritize security theater and account retention over user experience.

The Inconsistency That Drives You Crazy

What makes this even worse is the complete lack of consistency across platforms. Some companies use biometric verification. Some use email. Some use SMS. Some use security questions. Some use a combination of all of the above, in a sequence designed to make you forget what you were even trying to do in the first place.

I reset my password on my Netflix account in about 90 seconds. No security questions. No phone verification. Just an email link and I was done. Simple, effective, reasonably secure. Then I tried to reset my password on my bank's website. Forty-five minutes later, after answering questions about houses I owned a decade ago and verifying my identity through three separate methods, I finally got access back.

Both companies claim they're protecting my data. One does it with respect for my time. The other treats me like I'm trying to access the nuclear codes. The difference isn't security. It's priorities.

What Actually Needs to Happen

Real security doesn't require bureaucratic nonsense. Passkeys—cryptographic credentials stored on your device—are becoming the standard that actually works. No passwords to forget, no security questions to misremember, no phone numbers to verify. Just biometric authentication or a PIN on your device. Companies like Google and Apple are pushing this direction, and it's about time.

In the meantime, if you're building or managing a password reset system, remember this: Your legitimate users shouldn't suffer because you're afraid of hackers. Build real security. Don't build obstacles that punish people for the crime of having a normal human memory.

And if you're using an online service that makes password resets unnecessarily complicated, you have options. You can complain. You can switch to a competitor. You can use a password manager so you never have to reset passwords in the first place (though good luck getting that to work across all your devices consistently).

One more thing: If you want to understand how companies manipulate you through friction-based design, check out The Grocery Store Self-Checkout Trap: Why Stores Are Blaming You for Their Technology's Failures. It's the same playbook, different industry.

Password resets don't have to be painful. Companies just haven't figured out that respecting user time is actually good business. Yet.