Every once in awhile its good to return to the basics. So much of the technology that we live with seems complicated, but underneath it has a simple foundation that is easy to understand. For example, our moble devices are connected to the Internet by radios. Almost like the walkie-talkies you might have played with if you grew up in my generation. At their foundation, our smartphones are two-way radios.
Understanding the basics of your online security is the topic for today. There are a lot of differences among login pages, and this can be confusing. But at the root of them all is a simple activity called Authentication. And as you might have guessed from your login experiences and the number of data breaches that have occurred, not all authentication systems are trustworthy. Hopefully, this post (and others to follow) will clear up some of the confusion.
Authentication (or 'login' as I call it here) has a sister known as 'authorization.' They're different, but often confused because they are shortened to "auth" when used as slang. The important thing to know is that authentication and authorization serve different purposes for your security. Authorization is about giving or getting the right to access something of value, whereas Authentication is about proving you are authorized to have access. A simple way of thinking about this is authorization should preced authentication.
At its foundation, authentication involves the presentation of certain verifiable information that demonstrates your right to access something that is protected or reserved for you. The information you present are often described as "credentials." For example, your birth certificate, driver's license, and passport are all identity credentials. They identify you in a way that has been verified by another party. And they are issued by an independent authority (this is where the sister authorization appears in the story - but we're not going to talk about her today.)
When it comes to digital authentication, the credentials do not have to be issued by an independent authority, they can be created by you! But credentials should have two important qualities: uniqueness and secrecy. In today's digital economy, the two qualities are sometimes combined in one entry, but this is not a good security practice and I suggest you avoid digital services where they are combined for convenience and look for services that keep them separate (more on that below.)
When you arrive at a login page the guardian of the of information you want to access requests your credentials before they grant access. Online, this occurs through at least two fields (assuming you have already signed up for an account or access privileges - there's that sister authorization showing up again!) One of the fields confirms your identity (the uniqueness quality) and the other field (usually a password field) requests the secret credential. Authentication is a big word for the simple act of comparing your credentials with those stored by the guardian. If there is a match, then all is good and you're in!
SIDE NOTE: For logins, identity is usually determined by your email address or username because either one must be unique. When you create an online account and provide a username, you may have found that it was already in use and you had to create a different one. That's because usernames must be unique.
4 Tips for Simpler Login Security
Login is pretty simple, or at least it was 30 years ago. But with the global reach of the Internet and a digital economy of online transactions, there are a lot of security risks with the simple act of login. And some security professionals have made it very complicated and frustrating (more on that in the future.) The way in which login credentials are created, entered, transmitted, stored, and authenticated can include vulnerabilities that destroy the intended security. So here are a four simple tips for basic login security:
Make sure that the login page is the right one. Does the URL in the browser match the domain you expected to see? If not you could be exposed to a phishing attack or malware.
Make sure that the login page uses a secure protocol for the data you enter. You'll want to see "https://domain.com" instead of "https://domain.com" (the 's' after 'http' is important!) Most modern browsers now warn users if a site is not on a secure protocol. And you may observe that modern browsers also use red and green in the address bar to indicate security of the site that you are using. If you see red, avoid using that site for login.
For better security, I suggest you setup your accounts with a username (if you created one for the account) instead of an email addresses for the first field on a login page. While both confirm your identity to the site (the guardian and authenticator) and neither of them need to be kept secret (because they're only providing the quality of uniqueness), your email address has greater public exposure than a username would, so a username provides a little extra security (assuming it has not already been exposed in a data breach somewhere.)
Last tip (this is where most of the problems and pain appear for users and businesses) Create a strong password that is not guessable. Many security problems begin with weak, stolen, or misused passwords. Don't give in to the temptation to use "password" or "123456"; you can create a strong password that is simple to remember. Here's a convenient method: Visit your favorite digital news site and choose a headline from their page. Then choose a word position from the headline (for example, choose the 1st headline and 1st word of 5 characters or more). Now alter that word by adding, removing, or replacing one or more letters. Because you need to remember this, I suggest you keep it fairly simple and not make too many alterations. Be creative, but keep it simple so you can remember it. Now use that for your password. (Spoiler Alert: in a future blog post, I'll tell you how this technique can be even easier and stronger for your security)
There's more to cover on the topic of Login practices and tips, but I'll leave that for future blog posts. Look for Login 102 in the coming weeks, when I'll talk about:
How credentials should be received and authenticated by the authenticator*
What the user and authenticator must guarantee for security
Bad habits and Fails to avoid
How to avoid them
Password Hopping™ - Tip 4 on Steroids!
If Tip 4 above helped you remove some password pain and simplify your login experience, then you'll want to consider a more powerful version of Tip 4 called password hopping™. Password hopping™ is Tip #4 on steroids. What makes it so powerful is its automatic creation and replacement of short-lived passwords that are simple and easy to remember. To try password hopping™ for free (and at no risk to your accounts or passwords!) click on the "Demo Password" button in the page header (navbar) to sign up. Please leave a comment to let us know about your demo experience when you're through.
hopr is on a mission for simpler and more secure login for users and businesses. If you have thoughts on how to help or comments on this blog, please leave a comment below.