The average German internet user has 15 different accounts. Some of them he created because he wanted to, others he was forced to create more or less. And every single one of them is normally protected by a password. Of course, the user is lazy and therefore he is using every time the same password. At least since the major security breaches at Yahoo, LinkedIn and Tumblr you see what are the consequences. The leaked email-password combinations were used to try them at others services on a large scale and with an astonished high hit ratio accounts could be compromised.
Obviously, the question is how can this be prevented best. Additionally, there are two basic conditions that do not make this easier. For one thing, more and more services insist that the password of the users has to follow specific rules (special characters, numbers, minimum length, …). For another thing, the user should never use the same password at multiple services. Both conditions are very reasonable advices. But can you really expect from the user to remember 20 different and very complex passwords?
You can of course write down all passwords on a sheet of paper. This might be good enough to get by as long as you are not pinning this paper direct on the computer. But you will have difficulties if you are out and about. Especially if you are not using your own computer like in an internet café.
2FA as supplement to passwords
A quite good addition to the common password authentication is the two-factor-authentication. With this one another, as independent as possible factor will be introduced, for example an SMS that is send to your mobile with a one-off code. This method is not completely secure especially if you use the same mobile for entering the code that also received it. But it is sufficient for the above described scenario. The catch is that this is not implemented particularly by smaller providers. While Microsoft, Google or Facebook integrated respective mechanisms for their user base for example Ebay has no such thing. At the same time, you do not have to take the SMS that causes costs on your end. The time-based one-time password algorithm is not causing recurring costs and for the most common programming languages there are corresponding libraries.
The users cannot be made responsible alone but again the providers have to act. Beside of security actions like 2Fa they have to take care that there is a limitation in the login procedure. Furthermore, it is a matter of course that stored passwords in the system are hashed (From personal experience I know systems were the passwords are stored in plaintext or only hardly encrypted.). And maybe the providers have to be forced to introduce 2FA (or similar measurements). To force the user to use more and more complex passwords cannot be the right way on the long run. Security has to be convenient and sometimes you have to make compromises to make it easy to use. Otherwise the user will look into workarounds with which they remove their security.
1 Comment