With every year, every month, the number of credentials we need to use certain services grows: Logging on to the computer, iOS, Android, Facebook, Twitter, Instagram, Spotify and Netflix, online banking and yet another online shop - and yet another online shop and yet another.
If you make it easy for yourself and use the same password for all services, you run a high security risk.
The password is then only as securely protected as the most insecure of the services used. Again and again, large amounts of user data, even from large and established providers, fall into the hands of hackers who then test the misuse of the captured logins in other services as well. It is therefore strongly advised not to use a password for all services.
Some services allow you to log in via a Facebook account, for example, so that you only have to remember your Facebook login data and can use it to log in to Spotify, for example. This procedure is also known as "social login".
Those who run web applications themselves can benefit from the convenience of social login functionality more easily than most people think. Mainetcare develops web apps with corresponding login options based on Laravel Socialite. This makes it possible to log in with accounts from Facebook, Twitter, LinkedIn, Google, GitHub, GitLab and Bitbucket.
This is convenient, but in principle what was said above applies: a password for several services also opens up several services to misuse if it falls into the wrong hands. In addition, when using the Facebook account as a login service, one must also be aware that further information about one's activities and interests will flow to the data-hungry social media provider.
The clean and safe way is to choose a specially selected secure password (What is a secure password? A topic in itself, to be dealt with elsewhere) for each access. But how are you supposed to remember all that?
A secure and user-friendly solution is offered by password manager programs that store passwords and other access data securely in encrypted form. There is a selection of such programmes for every device and operating system. (1). Those who choose a solution from among these programmes under an open source licence do not have to pay anything and, on top of that, have a potential plus in terms of security. Open source security software allows the community to test the security functions on the source code, which usually brings any security gaps to light quickly.
With a password manager, you simply store all access centrally and only have to remember the login data of the manager itself. Depending on the software, the access data is stored in an encrypted database either locally on the device or in the cloud, which has the advantage that you can access your access data from several devices.
Many of the programmes also help you enter the data in the corresponding input fields, so that you no longer have to type or copy and paste, but the login is virtually automatic with a tap or keystroke.
Particularly when it is primarily a matter of managing online access data, a password manager can also be used as a browser add-on. Here, too, there are various offers for every common browser (2). Or you can go directly to a web-based solution like 1password.com. (3) which in principle makes it possible to access the data from any device with internet access simply via the browser.
What if the access data is gone?
The usual way is to simply click on the usually available link / button "Forgot your password? This usually triggers the sending of a new password generated by the provider to a previously stored e-mail address, often linked to a link that must be called up to activate the new access within a certain period of time. Since the password is transmitted through public networks, you can replace the received password with a new one of your own choice in the interest of additional security after logging in.
More and more providers (such as Google, Microsoft) are also moving towards making it obligatory to define personal questions when setting up accounts, the answers to which are supposed to be "unforgettable", such as "The name of my first pet".
So if someone forgets their password for such an account, the answers to such questions provide them with an additional "authentication feature" that ideally cannot be forgotten and can thus restore access.
So what to do?
- Choose a secure password for each access.
- Use a password manager instead of "remember".
- If passwords are lost, replace the automatically generated new passwords with your own.
Footnotes
(1) An extensive collection of relevant programmes at →Heise Download ...
(2) Password manager add-ons e.g. for →Firefox ... or →Chrome ...
(3) Available at 1password.com
See also
Again, running a website is like running a garden: Not everything that grows and thrives there is useful and desirable. Extremely annoying and dangerous are, for example, phishing e-mails, which you - especially if you run a website - have certainly already received yourself. We show you how to recognise phishing e-mails as such and avoid falling into the spam trap.
Video conferencing is currently experiencing an unprecedented increase in popularity. People are working and learning from home, and so many are making their first forays into video-supported conversation in pairs or groups these days, pushed more or less by circumstances.
