Logging on is becoming too hard to do securely

Unique passwords, unique user names, lie about your personal information, secure your recovery email, two factor authentication, OAuth caching.
ARRGGGHHH, all I want to do is log on.

I can remember the very first time I had an account on a computer and needed a password to control access to it. 1979. This should be old news, but its not.  Lets start with exploring the headline issues…

Strong and Unique passwords

Hopefully by now everyone as understood the importance of strong and unique passwords.
Technology called two factor authentication has been available for a long time to make this easier, but has not been widely adopted; progress is being made with providers like Facebook and Google offering the options of using a one-time password, with the password generated on a secure device, phone app or sent via SMS. But even this does not solve the full issue.

unique user names

This is becoming equally important. If you use the same user name (often your email address) on multiple accounts, it is easy for an attacker to build up an online picture of your accounts, how they are related and use this to gain access to more than one system of yours. Having multiple users names is not easy as the blog article “Challenges with Unique Passwords” explores.

secure your recovery email

Because we are all likely to forget our (unique) usernames and passwords, services helpfully give us a back door to recover access to our account. These either email you something, or ask some personal question such as “Your mother maiden name”.  These email recovery mechanisms, mean access to your email is a primary goal for attackers. As mentioned in my blog “How a strong BYOD password can make identity theft easier“, once an attacker has access to your email, they can use the recovery mechanism to access most of your accounts.
PLEASE, if you do nothing else having read this article, make sure you follow the best practice advice protecting this account.

(Sadly these recovery mechanisms are not always secure themselves, as explored in Revelations of a Password Reset).

lie about your personal information,

When recovering access to a lost password, systems ask questions like please supply “your memorable address”.   Sadly, unless our answers to these are unique too, having a unique username / password does not help. The blog “Your Online Identity: Is it Acceptable to Provide False Information Online?” explores this issue in more detail.

OAuth caching

This is the most concerning part of the story to me…

Like many people, following the twitter attack, I went onto my PC and changed my twitter password.  I expected this to be a bit of a nuisance, as I have several apps on my iPhone and iPad linked to the account, and expected to have to re-enter the password numerous times.
WRONG. I only had to re-enter it on two occasions.
The reason is well documented  due a protocol call OAuth.  The issue is summarised as these apps essentially keep you logged – when you change your password you are not forced to log off.

So, it seems next time I am forced to change my twitter password, I need to revoke all of the apps too – probably good to do every now and again, but a real pain.

The triad

This all points back to the people / technology / process triad.
To be able to log on securely needs good:

• People: We need to help ourselves with providing strong and unique information to log on with – it is not easy.
• Technology: We need systems that better protect our credentials.
• Process: Recovery mechanisms that do not compromise the good practice usernames and password we chose.

Have you experienced any other related issues with logging on securely?  Please leave comments of your experience below.

Finally, now that you have got uniques passwords everywhere – here is your friendly little remind that is time to change them all (don’t get me started on that…).