Password Security

GEEK FREE
By Joe Callison
7 August, 2019

A friend recently asked what I thought about signing into a site using your Google or Facebook account credentials rather than creating an account for that site. I have not chosen to do that myself because of concerns about the data that could be shared between the sites and what they might do with it. It got me thinking that maybe it would be good to do some research on this and other password security questions that frequently come up. Let’s look at four common questions:  

Should you use Facebook or Google to log into other sites?
Websites often have an option to login using a Facebook, Google, or other social networking account. While this is tempting for the convenience of not having to create yet another account with username and password to remember, think about why they would want you to do this. What is in it for them? Each account that you link together provides more personal data that is available for their use in building a user profile for targeted advertising or maybe even to sell to others. It also increases the risk of having your account hacked, since the security of multiple websites is involved. If any one site is hacked, all of the linked sites are then accessible using the hacked credentials. My recommendation is to not use this method of logging in. You can read further on the subject in this linked blog article:
https://www.techlicious.com/blog/should-you-use-facebook-or-google-to-log-in-to-other-sites/

Should you allow your browser to save your passwords?
I have done this myself for some passwords, but not for any important websites such as banking, retirement or investment accounts and medical accounts. I have only done it if the browser or Windows protects the passwords from being shown without entering my credentials, or so I thought. The following linked article explains how easy it is to just inspect the code in your browser page for the password field in the website login and change the type from “password”, which is when it just shows dots, to “text”, which will show the readable password. Malware planted on your computer could also use this method or other password stealing code to obtain your passwords.
https://www.techrepublic.com/article/why-you-should-never-allow-your-web-browser-to-save-your-passwords/

How secure are password managers?
We know that password managers are not a perfect solution, as even they have been hacked, but as explained in the following linked article, for now they provide convenience at a relatively low risk for some people. My main concern for using this method is how often I have encountered people forgetting or losing a current password and not being able to recover it. Losing the master password for a password manager could greatly magnify the problem unless extra precautions are taken.
https://www.washingtonpost.com/technology/2019/02/19/password-managers-have-security-flaw-you-should-still-use-one/?noredirect=on

How secure is two-factor authentication?
Two-factor authentication is becoming more common. I encounter it frequently when accessing certain financial, medical, and government websites that I have accounts with. It is becoming an option on more and more websites to receive a code sent by text to your phone, and that is the method I typically use when additional authentication is required. There are many other flavors of two-factor authentication, and some are more secure or more reliable than others. The “something you know” method is usually the weakest because it often uses personal information that is easily obtainable from public records or social media if it is truthful. Making something up is far more secure, but then you have to be able to remember your lie! The code sent by text to your phone or a physical USB key with encrypted code, such as the YubiKey for websites that support it, are probably the best methods available at this time. You can read further on the subject at the following link:
https://blog.malwarebytes.com/101/2018/09/two-factor-authentication-2fa-secure-seems/

In summary, I like what one of the articles said about no method being perfect, but you don’t want to be the low-hanging fruit!