6. Account and password management

Account management

Creating a secure password is important, but no matter how secure your password is you can still be vulnerable if your account management is lacking.

An example of bad account management would be using the same secure password and email address across multiple accounts. If one account gets hacked and your username and password are stolen, hackers can use that information to then access your other online accounts.

On websites like Spotify, you can conveniently ‘Login with Facebook’ so that you don’t need to create a separate account for every site you use. However, this convenience comes at a cost, because every time you use your Facebook login to access another service, you are giving that other service access to your personal data stored by Facebook. This also allows an attacker to only require access to your Facebook account to start getting access to everywhere else that you associated that Facebook login. By using the ‘Login with Facebook’ option you are essentially using Facebook as a password manager to remember your username and password for a number of sites and services.

Ever noticed after doing some online shopping, adverts in other websites showing similar items to the ones you just searched? This is a demonstration of your personal data being sold and exchanged to target you.

Read No boundaries for Facebook data: third-party trackers abuse Facebook login on Freedom to Tinker.

question Log in using the same account?

Password management

Password managers provide a similar level of convenience to “Login with Facebook” but are much safer. Password managers create an encrypted database of all your usernames and passwords, that only you can access with a master password. This means you only need to remember one password to have access to all of your accounts.

Most password managers will include the ability to generate secure passwords that you can use for new or existing account logins. Because you only need to remember one master password, you can generate and store complex passwords for your needs. This way, you are not relying on your memory and easy passwords to remember many different account login details.

example password generated in the Password Generator. Allows you to select length, letters, characters and numbers
BitWarden password generator function

To make website logins easy, most password managers have browser extensions that either insert the information into required login fields automatically or allow you to copy and paste the details. Not all websites and apps allow automatic login filling or pasting into login fields.

What to consider when choosing a password manager

There are a large number of password managers available for use. You need to research which service you want to use. A lot of these solutions have reports or blogs on their site discussing how it works and what they do to protect your details, for instance 1Password has a white paper (PDF, 831 KB) going into a lot of depth on their service and mission.

Some points to consider when making a decision:

  1. Is my password stored only on my computer or is it backed up in the cloud?
    • Given the growing popularity of using password managers, they are a prime target for a data breach due to the sheer amount of account information they may store. You have to decide between maximum security vs usability and convenience. If a password manager stores passwords in the cloud, they often have a phone app and browser extension allowing syncing across devices. This means that your information is being sent across the internet to allow your other devices access, making that less secure than never being sent across the internet.
  2. If they are backed up in the cloud, is the information encrypted before or after it is backed up?
    • If the information is encrypted after it has been backed up in the cloud, then it was potentially sent over the internet as plain text and is a lot easier for attackers to gain access to.
  3. Are there any recorded breaches of the password manager in the past, and how did the service react?
    • LastPass suffered a security breach in 2022.  LastPass publicly addressed the breach, how it occured and what was stolen. This type of communication is important because it allows users to change their password, usernames etc to avoid trouble in the future.

The following list is a mix of open-source and commercial services. Make sure to do your own research and decide which will work best for you:

Licence

Icon for the Creative Commons Attribution-NonCommercial 4.0 International License

Digital Security Copyright © 2023 by The University of Queensland is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License, except where otherwise noted.

Share This Book