As the internet evolved, so did the growing need for user accounts to access online information and services. Consequently, we have hundreds of accounts, each requiring separate login credentials. This proliferation of digital accounts has led to significant issues and risks:
- Unnecessary requirement for login credentials – not every site needs login credentials, yet we are often still required to create an account. I thought about writing this article many times, and then recently, I needed to sign up to 3 separate sites to benefit from the service offered by a single business. In this case, one use account should have been sufficient. Many sites and services shouldn’t need an account at all.
- Remembering numerous passwords – It is inconvenient and introduces security risks – to remember login credentials, people often resort to using simple passwords, repeating the same password for different accounts, or creating lots of slightly different passwords based on a theme. If a hacker compromises one of your passwords, they could easily compromise many.
- Password vaults – there are many different password management solutions, but these are not always foolproof and often require trust and dependence on third-party services. Password vaults do make the use of long, complex passwords viable.
- Risk exposure – the more accounts you have, the more personal information is stored online, which increases the risk of sensitive data exposure in a breach. Also, more accounts mean more emails and communications from online services, and more time and effort are required to distinguish between legitimate messages and phishing attempts from scammers impersonating services to steal login credentials.
- Privacy – each account will collect and store personal information. The more accounts you have, the more places your data is stored, increasing the risk that site owners will misuse or sell your data or track online behaviour, preferences, and interactions, leading to privacy concerns.
- Attack surface – each account is a potential entry point for cybercriminals. The more accounts you have, the larger the attack surface.
- Time-consuming – managing so many accounts can become time-consuming and distract from more productive activities.
- Blocking cut and paste – storing passwords in a vault makes using long, complex passwords convenient. It is not helpful if site owners block cut and paste and require users to type passwords manually. A more recent change is to measure the time it takes to type a password and reject login attempts that are too quick. This blocks pasted passwords and passwords automatically filled from browser-based password vaults. It is well-intentioned but risks replacing complex passwords with simple passwords.
Practicing good cyber hygiene is essential:
- Use a password vault so you don’t need to remember every password – this makes using strong passwords for each account easy. Be careful whose solution you choose. Make sure you select a reputable vendor.
- Establish an inventory of sites where you have online accounts – using a password vault makes this much more manageable.
- Delete accounts that you no longer need. You will still have an account even if you signed up for an online service using Google, Apple, Microsoft, Facebook, or LinkedIn credentials. In addition to deleting the account, it is also necessary to revoke access to the credentials – i.e., remove the service from the list of third-party sites in Google or other login services.
- Don’t repeat passwords – use a different password for each user account.
- Use Multi-Factor Authentication (MFA) to add security to your online account.The long-term effectiveness of MFA is the subject of much debate, given rapid technological changes and adaptability in cybercrime. The use of MFA is still better than not using it.
- Don’t store credit card details on the sites unless absolutely necessary.
- Avoid using immutable facts for authentication purposes. For example, your mother’s maiden name or the name of your first school will remain the same. Immutable facts are wrong for security, but websites and service providers still use them.
Information security, risk management, internal audit, and governance professional with over 25 years of post-graduate experience gained across a diverse range of private and public sector projects in banking, insurance, telecommunications, health services, charities and more, both in the UK and internationally – MORE