06.11.2020

Website maintenance
Access data under control

Access data under control

Every year, every month, the number of login details we need to use certain services grows: Logging on to the computer, iOS, Android, Facebook, Twitter, Instagram, Spotify and Netflix, online banking and another online shop - and another online shop and another.

If you make it easy for yourself and use the same password for all services, you run a high security risk.

The password is then only as securely protected as the most insecure of the services used. Again and again, large amounts of user data, even from large and established providers, fall into the hands of hackers who then test the misuse of the captured logins in other services as well. It is therefore strongly advised not to use a password for all services.

Some services allow you to log in via a Facebook account, for example, so that you only need to remember your Facebook login details to log in to Spotify, for example. This process is also known as "social login".
Those who run web applications themselves can benefit from the convenience of social login functionality more easily than most people think. Mainetcare develops web apps with corresponding login options based on Laravel Socialite. This makes it possible to log in with accounts from Facebook, Twitter, LinkedIn, Google, GitHub, GitLab and Bitbucket.

This is convenient, but in principle what was said above applies: a password for several services also opens up several services to misuse if it falls into the wrong hands. In addition, when using the Facebook account as a login service, one must also be aware that further information about one's activities and interests will flow to the data-hungry social media provider.

The clean and safe way is to choose a specially selected secure password (What is a secure password? A topic in itself, to be dealt with elsewhere) for each access. But how are you supposed to remember all that?

A secure and user-friendly solution is offered by password manager programs that store passwords and other access data securely in encrypted form. There is a selection of such programmes for every device and operating system. (1). Those who choose a solution from among these programmes under an open source licence do not have to pay anything and, on top of that, have a potential plus in terms of security. Open source security software allows the community to test the security functions on the source code, which usually brings any security gaps to light quickly.

With a password manager, you simply store all access centrally and only have to remember the login data of the manager itself. Depending on the software, the access data is stored in an encrypted database either locally on the device or in the cloud, which has the advantage that you can access your access data from several devices.

Many of the programmes also help you enter the data in the corresponding input fields, so that you no longer have to type or copy and paste, but the login is virtually automatic with a tap or keystroke.

Particularly when it is primarily a matter of managing online access data, a password manager can also be used as a browser add-on. Here, too, there are various offers for every common browser (2). Or you can go directly to a web-based solution like 1password.com. (3) which in principle makes it possible to access the data from any device with internet access simply via the browser.

What if the access data is gone?

The usual way is to simply click on the "Forgot your password?" link/button that is usually available. This usually triggers the sending of a new password generated by the provider to a previously stored e-mail address, often with a link that must be used to activate the new access within a certain period of time. As the password is transmitted via public networks, you can replace the password received with a new one of your own choosing after logging in for additional security.

More and more providers (such as Google and Microsoft) are also starting to make the definition of personal questions mandatory when setting up accounts, the answers to which should be "unforgettable", such as "The name of my first pet".

So if you forget your password for such an account, the answers to such questions provide you with an additional "authentication feature" that ideally cannot be forgotten and can be used to restore access.

So what to do?

  1. Choose a secure password for each access.
  2. Use a password manager instead of "remember".
  3. If passwords are lost, replace the automatically generated new passwords with your own.

All other contributions