Thursday, January 28, 2016

Online Account Management

Almost everyone has a bunch of different online accounts these days. Email, social media, banks, shopping, etc, etc. Keeping track of all of the logins is difficult, and it's easy to fall into poor habits. In the 20-ish years since I got started with online accounts (in college), I've gone through just about all of the bad ideas. As technology changed and I learned about better options, I've improved how I deal with all my various login information.
The single worst thing you can do is use a very weak password, like the ones on this annual worst password list. Of course, that's how I started out. I think my very first password ever was "wordpass1", and it was only saved from being "password" because the system wouldn't let me use that.

Only slightly better than weak login information is using the same information everywhere. I had two standard passwords for years: one for "important" accounts like email, work, and banking; and one for everything else, like games and online forums. I'd also choose the same "security questions" on every account whenever possible. This allowed me to 1) remember my passwords and security questions and 2) not need a list of all my accounts, since if the "standard" didn't work on a particular site, I'd know it was a new site and I should create an account. The problem with this approach is that if one account is compromised, then everything else using that same login information is vulnerable.

Currently, I use the online password manager LastPass (and there are other similar products). This tool requires you to have a single master password which unlocks access to your "vault." You put an entry into the vault for each account (web site URL, username, password, even security questions and answers). That takes some work to set up at first, but you can do it over time, as you access the various sites that you use. This allows you to use a different (often completely random) password on each account, change them regularly, and still have no trouble remembering them...all you need to remember is the master vault password. I go a step farther with security questions - I'll select nonsense answers, relying on my vault entry to retrieve them at need, so anyone trying to bypass my password by answering security questions will have a really tough time. LastPass provides browser plug-ins and an Android app, which make it simple to log into sites without having to manually open the vault and copy the information into the login forms.

That's not to say that using an online password manager is a perfect solution. The master password is the most obvious vulnerability. Mine is fairly long (15+ chars) and consists of multiple unrelated words and numbers. I change it regularly. I also use two-step authentication via Google Authenticator on my phone, so even if someone guesses the password, they'd also have to have my phone (or access to my email in order to turn off the two-step process).

Another vulnerability is the online aspect of the password manager. LastPass itself could be compromised, which puts all my information at risk. I've read about the measures they take to prevent this (a good summary in this blog post) and I'm willing to accept that risk for the convenience that their service provides. For those who would rather not rely on an online service, there are other options, such as KeePass or 1Password, that allow you to keep your data locally. It's a bit less convenient since you need to share the data between your various devices, and make sure to keep it backed up. But it is more secure.

In a perfect world, we'd be able to avoid all this mess entirely, and rely on something like biometrics to access all of our online services. But that kind of thing is still imperfect and very expensive, no matter how often you may see it on TV or in the movies. For now, a password manager is the most secure solution that is also practical.

No comments:

Post a Comment