Every year, every month, the number of login details we need to use certain services grows: Logging on to the computer, iOS, Android, Facebook, Twitter, Instagram, Spotify and Netflix, online banking and another online shop - and another online shop and another.
If you make it easy for yourself and use the same password for all services, you run a high security risk.
The password is then only as securely protected as the most insecure of the services used. Again and again, large amounts of user data, even from large and established providers, fall into the hands of hackers who then test the misuse of the captured logins in other services as well. It is therefore strongly advised not to use a password for all services.
Einige Dienste ermöglichen das Login zum Beispiel via einen Facebook-Account, so dass man sich nur die Facebook-Login-Daten merken muss und sich damit zum Beispiel auch bei Spotify anmelden kann. Das Verfahren ist auch unter “Social Login” bekannt.
Those who run web applications themselves can benefit from the convenience of social login functionality more easily than most people think. Mainetcare develops web apps with corresponding login options based on Laravel Socialite. This makes it possible to log in with accounts from Facebook, Twitter, LinkedIn, Google, GitHub, GitLab and Bitbucket.
This is convenient, but in principle what was said above applies: a password for several services also opens up several services to misuse if it falls into the wrong hands. In addition, when using the Facebook account as a login service, one must also be aware that further information about one's activities and interests will flow to the data-hungry social media provider.
The clean and safe way is to choose a specially selected secure password (What is a secure password? A topic in itself, to be dealt with elsewhere) for each access. But how are you supposed to remember all that?
A secure and user-friendly solution is offered by password manager programs that store passwords and other access data securely in encrypted form. There is a selection of such programmes for every device and operating system. (1). Those who choose a solution from among these programmes under an open source licence do not have to pay anything and, on top of that, have a potential plus in terms of security. Open source security software allows the community to test the security functions on the source code, which usually brings any security gaps to light quickly.
With a password manager, you simply store all access centrally and only have to remember the login data of the manager itself. Depending on the software, the access data is stored in an encrypted database either locally on the device or in the cloud, which has the advantage that you can access your access data from several devices.
Many of the programmes also help you enter the data in the corresponding input fields, so that you no longer have to type or copy and paste, but the login is virtually automatic with a tap or keystroke.
Particularly when it is primarily a matter of managing online access data, a password manager can also be used as a browser add-on. Here, too, there are various offers for every common browser (2). Or you can go directly to a web-based solution like 1password.com. (3) which in principle makes it possible to access the data from any device with internet access simply via the browser.
What if the access data is gone?
Der übliche Weg ist der einfache Klick auf den meist verfügbaren Link / Button “Passwort vergessen?”. Meist wird darüber der Versand eines anbieterseitig neu generierten Passworts an eine vorher hinterlegte E-Mail-Adresse ausgelöst, oft verbunden mit einem Link, mit dessen Aufruf der neue Zugang innerhalb einer bestimmten Frist aktiviert werden muss. Da das Passwort dabei durch öffentliche Netze übertragen wird, kann man im Interesse zusätzlicher Sicherheit nach erfolgtem Login das erhaltene Passwort durch ein neues selbst gewähltes ersetzen.
Immer mehr Anbieter (etwa Google, Microsoft) gehen auch dazu über, bei der Einrichtung von Accounts die Definition persönlicher Fragen obligatorisch zu machen, deren Antworten “unvergessbar” sein sollen, etwa “Der Name meines ersten Haustieres”.
Wer also sein Passwort für einen solchen Account vergisst, verfügt mit den Antworten zu derartigen Fragen über ein zusätzliches “Authentifizierungsmerkmal”, das idealerweise nicht vergessen werden kann und kann damit den Zugang wiederherstellen.
So what to do?
- Choose a secure password for each access.
- Statt “merken” einen Passwortmanager verwenden.
- If passwords are lost, replace the automatically generated new passwords with your own.