We all have many logins for websites and online services. Managing these logins is a problem, especially when we need to maintain unique passwords for each as well as multi-factor authentication. There are many programmes out there that are trying to make us do without passwords, but I do not believe that passwords will be going away any time soon.
What are the options?
The general advice is maintain a unique login for each account you have online. However there are many options to manage these logins:
- Using Someone else’s Authentication process (e.g. Your Google, Facebook, Outlook Account)
- Single Sign-on solutions (mostly for enterprises though)
- Device PINs/Passcodes
- FIDO Tokens (e.g. Yubikey)
- Password Managers.
Using Someone Else’s Authentication Process
Using another account to log you into many accounts (e.g. using your Google Account) means you only have to remember only one username and password. The plus points are:
- You can make this a strong password
- Set up multi-factor authentication
- Set up account recovery options
- If you change your password, it is changed everywhere it is used.
The negative points are:
- If this account gets compromised, then so are all your other accounts linked to it
- The parent service (e.g. Google) will be able to track all your logins
- They are a prime target for Phishing/Social Engineering attacks.
You may not notice immediately that your account has been compromised. This would mean that a hacker has open access to your emails, and any linked account. They can also change the authentication process so that they can lock you out of your linked accounts. If that happens to be a shopping account, your online banking account or other financially sensitive account, or an account that contains a lot of personal information then this information can be copied without your knowledge. Don’t for one minute think this won’t be automated by the hacker.
Single Sign-on Solutions
A lot of enterprises use an internal single sign-on process that allows various internal services to use your standard PC/LAN login to access company resources. This means that you don’t have to remember multiple logins, or if you do (e.g. a LAN and a Mainframe login) then they are limited to a few.
In the consumer space using your Google/iCloud/Outlook account to authenticate is also a single sign-on solution, and as such they have all the same vulnerabilities and benefits.
On a company network, the login information is only relevant when you are signed-on to the company network, but once in you can traverse across the company services easily. Therefore you should guard your company login details as much as you do your own.
Most mid-high end smartphones have a fingerprint scanner that allows you login with a tap rather than a passcode/PIN/password. A lot of these solutions require you to initially authenticate using a username and password, but once you have done that and setup the fingerprint scanner you would use your fingerprint to access the device.
Some vendors (e.g. Apple) claim that your fingerprint data is only held on the device and not in their cloud. This is probably the best solution as in order to get into the device you need physical possession and your finger.
Some services will store the fingerprint data in the cloud, which means it can be re-used across multiple devices, but it vulnerable to attack if the service suffers a data breach.
Fingerprint scanners have also been fooled by using 3D printed copies, which makes them vulnerable to attack. However you still need access to the device and a good copy of your fingerprint that can be 3D printed. For the average consumer this isn’t a particularly high risk, unless you are law enforcement who will have your fingerprints as part of any investigation.
We also see other bio-metrics in use, for example Iris Scans and Facial Recognition.
Facial recognition can be fooled by using a printed picture of your face. Iris scans are harder to fake due to their complexity, but by no means impossible. They also have some reliability issues and are affected by different hairstyles, makeup and if you wear glasses.
The best facial recognition process I have seen so far uses three factors to determine the identity:
- A Visible Light Camera (e.g. a webcam)
- Infrared camera
- Depth Camera.
This was implemented on Windows as Windows Hello and is only stored the device. I am not aware of any other process that uses this combination of factors.
Voice is also a means that can be used to authenticate, and is used in the Google Assistant when multiple users are registered for a particular smart speaker.
I have already touched on this above. A PIN that you enter into your device is often local to that device and is not re-used across multiple devices. It can be used in place of a password.
A PIN is normally something like a 4 digit number. This has essentially 11,110 combinations and could be cracked using a brute force cracking system in 11 seconds (or less) in an online scenario (and 0.000000000111 seconds in an offline massive cracking system). However, you often only have a limited number of attempts (say 6) before the device locks down requiring a manufacturer to unlock it. However, we often choose simple and easy to remember PINs (e.g. year of birth, 1111, 9999). Back in 2012 the most and least popular PIN’s was studied and published. While old, the underlying premise still applies and these PINs will be the first any hacker tries. Please make sure you don’t use any of these.
A Passcode is more secure as this can use alphanumeric characters similar to a password. A 6 character passcode (e.g. Ab1234) will have 57,731,386,986 combinations and take 1.84 years to exhaust all combinations in a brute force attack in an online scenario (and 0.000577 seconds in an offline massive cracking system). However, you will still have a limited number of tries.
The plus side of a PIN/Passcode is that you need the actual device to gain access. However, if you have re-used the PIN across multiple devices and services (e.g. your ATM PIN) then once determined all others are vulnerable.
A few years ago Yubico came out with a USB dongle that you plugged into your device and then provided a one-time passcode to authenticate you. This has since evolved and a set of open standards have been established around this type of device (namely Universal 2nd Factor (U2F) and FIDO2 protocols).
The FIDO standard (Fast ID Online) replaces single-factor password-only logins. FIDO2 takes it a step further by allowing users to log onto Internet accounts using on-device biometrics such as Windows Hello or Pixel Imprint for certain applications, or with a pocketable security key, such as a Yubico YubiKey or Google Titan Security Key.
Instead of retrieving a code via text or app, your security key does all the work. When you choose a physical key as your authentication method, your browser or device will ask you to plug in (USB) or hold your USB key nearby (NFC or Bluetooth), then prompt you to touch the sensor on the key to authenticate your login. An attacker would need both your password and your physical key to log into your account on a new device. However, once initially authenticated you don’t need your password for that device or service anymore.
Google has universally adopted such keys for all employees and claims that there hasn’t been a successful social engineering attack on its internal network since.
A lot of devices and operating systems are supporting these open standards and these keys are readily available. However, you have to be careful where you buy them as there have been a number of fakes which offer little, or no, security and can also be used to deliver malware as well as your credentials to remote hackers.
It should be noted that this approach is really just an additional 2nd factor authentication process and does not do away with passwords entirely. You still need to secure that account using 2-factor authentication and a complex/unique password, but that second factor can be this token.
Microsoft are also trying to remove passwords by using their own Microsoft Authenticator. All you need is your Outlook account, activate the MS Authenticator on that account and you will then be asked on your phone to approve the login via the app without the password for any Microsoft service you attempt to use. If you have lost your phone then you can revert to a password and one of the other account recovery processes.
So far I have dedicated this discussion to specialised devices and services that help to remove your need to remember a password, or focus on a single account, for authentication. The fact is that not all online services use these techniques yet. This may come in time, but implementing these services on their websites is not cheap and they prefer to opt for their own solution using an email address and a unique password. At the last count I had nearly 100 such accounts, and this was after a severe pruning process I went through last year where I removed another 80 (ish) accounts.
This is when I started to look into password managers.
Password managers come in various shapes and sizes:
- Provided as part of your web browser
- As a standalone service.
Most web browsers allow you to save login details within the browser which then automatically fill the login details. Look for something in the settings pages like “Logins and Passwords” (FireFox), “Passwords and Autofill” (Legacy Microsoft Edge), AutoFill (Chrome) or “Offer to Save Password” (Microsoft Edge on Chrome).
If you are dedicated to a single browser on all your devices then this solution is worth looking at. However, this will be limited to accessing websites. You also have to ask yourself whether or not you want Google, Microsoft, Mozilla (etc.) to track all your logins? By the way, they probably are anyway through telemetry.
Another solution is to use a standalone password manager such as LastPass or 1Password. These will provide cross platform capability in the form of browser addin’s as well as standalone apps for your phone/tablet on Android/IoS. They may also allow you to login to apps as well.
This is yet another example of a single sign-on service.
If you use one of these services (whether browser based or standalone), you need to secure the account with a strong password and 2-factor authentication. I would also suggest you create an alias on your main email account (GMail and Outlook allow this and to a limited extent so do Apple), disable login to the parent service using that address and only use it to access the password manager. Don’t disclose the email address to anyone and it certainly should not be used to login to other websites.
This allows you to lock down the password manager account. If it gets compromised then it is easy to reset the password on your main account and and at the password managers service.
These services also provide monitoring of data breaches involving one y=of your logged accounts and notify you if there has been a breach. In some cases they can also automate the changing of passwords.
The positives of using this kind of service are:
- You can make a single strong master password and secure it using 2-Factor Authentication
- Your passwords are encrypted on the services systems (or should be – check this before you use such a service)
- Multi-platform and not dependent on using a particular browser
- Often provides account monitoring for data breaches
- Can automate the changing of passwords
- Often provide a complex/random password generation service
- Can auto-login to websites, meaning you won’t need to type/remember the password
- Often free, consumer, business and enterprise subscription models are available.
The negatives of using this kind of service are:
- If this account gets compromised, then so are all your other accounts linked to it
- The parent service will be able to track all your logins
- They are a prime target for Phishing/Social Engineering attacks.
In fact exactly the same issues as using your Google/Outlook/iCloud account for the same purpose. The plus side is that if using a standalone service, this service is likely one of the providers primary business offerings. If it were breached, their business would evaporate over night.
We all need some means to secure our online life. The above suggestions are not all inclusive but do cover the main offerings at the present time.
Hardware tokens like the Yubikey and biometrics are probably the future, but these are not fully supported yet. A lot of other security researchers are investigating alternative methods, and one I have not discussed yet is the one designed by Steve Gibson called SQRL (Secure Quick Reliable Login). This is still early days and I have not seen much take up of this yet on the services I use. If you want to try it out then go to the pages linked to above.
I am not going to recommend a particular service or technology to secure your online credentials. I am also not going to publish exactly what I use in this instance either as this could open me up to sorts of grief. Needless to say, I use a combination of different services for specific purposes and these are compartmentalized.
What I have attempted to do in this blog is give you options. In selecting a service you should think about the following:
- Are they genuine? There are a lot of fakes and spoofed services out there that look genuine but are not
- Are you buying the genuine product, especially in the case of a token like the YubiKey?
- What is the company’s pedigree – is this one of their main products?
- Research whether they have had a recent data breach
- If cross-platform capabilities are important, make sure these are supported for all platforms you use
- Do they have account recovery procedures in case of a breach (which should be enabled)?
- Can you backup your password vault by exporting to something like Excel?
Any password management service should be secured using at least 2-factor authentication. My recommendation would be to not use the 2FA service offered by the company as if one gets breached, then they can both be breached.
Password management services offered through a browser are typically free and I guess are a tempting solution for that very reason. However, do you trust the company especially when this is not their primary business? I personally have an inbuilt distrust of Google as they have been very blatant about their data acquisition policies and privacy violations in the past.
LastPass do provide a free option for consumers as well as paid subscriptions. 1Password offer a trial period and then expect you to subscribe. Both offer business and enterprise solutions. These two services are probably the gold standard and would urge you to look at these first.
In all of these cases you are putting all your eggs in one basket. However, I found a useful quote attributed to Andrew Carnegie in 1885 (although Mark Twain also used it in one of this books):
“Put All Your Eggs in One Basket, and Then Watch That Basket“
In this context the Password Manager or Single Sign-on solution (e.g. your Google account) is the basket and your login details for the many online services you use are the eggs.
If you do export your password list (and I recommend this just in case the password manger stops working or goes offline), then please make sure you encrypt it in some way (an Excel password is inadequate). A simple method is to use something like WinZip, apply 256bit encryption on the file and then save it on a secure cloud storage service and locally on an external disk/flash drive.
I hope this blog has been useful and please tell me of your experiences either in the comments or by sending a message via our contact form.
Headline image provided by Pexels