Friends don't let friends use web apps. Aside from privacy concerns, relying on someone else's server functioning and being forced to use whatever the newest "improved" version are all strikes against em. Who needs another login collected by someone else (so trustworthy) that you fill with credentials that will be stolen in a hack revealed a few years down the line? There's never any real consequences for service providers. It's best not to use new web services for anything important.
You can either log-in with Google account (which you most likely already have) or via 2fa mechanism where they send an expiring login link to your e-mail address.
There are no password and therefore nothing to hack.
Having no password doesn't mean it can't be hacked. Maybe Notion won't end up in a haveibeenpwned email, but that only addresses half of a single one out of three of my objections to web applications.
