Aug 6, 2009

Managing online credentials

Managing one's web credentials is a very important topic that is especially relevant to privacy, especially for social media sites. Do web users have too many different credentials and find it troublesome to manage them? 

There are primarily three ways to 'remember' your credentials:
  1. Use storage and retrieval methods that are at your end:
    • biometric authentication e.g., your fingerprint recognized by your computer. Biometric authentication only controls access to your local, individual computer. What happens when there's a software error, for example, with your biometric software, or when you move from versions of operating systems, change computers, or are a victim of malware? Or when your computer is damaged? As of now, more intelligent authentication methods such as face-recognition are not yet commercialized.
    • Cookies or Browser-based which means your username and passoword are stored on your computer.
    • A pass-worded document on a hard-drive or a piece of text saved on another device such as a mobile hand-held
    • (God forbid) a hard copy such as a Post-it note stuck to the bottom of your PC
    • In your head or in your wife's head
  1. Storage methods that are 'remembered' by the websites that you must log into such as your bank account, social networking sites like FaceBook, and/or other subscriptions. Some sites are more secure than others. Most just use cookies; others encrypt and validate through sophisticated methods. Most subscription log-in pages should have a way for you to ask them to email to you a new password, but you must get your username right or answer their security questions so that they can send the new password to the correct email address. The better ones will send you a new temporary password that you must change immediately.

    Many web sites that provide primarily content (such as newspapers or blogs) now post 'share' links to popular social networks like Facebook, but they are relying on those networks to check your credentials.

  2. Store your credentials in a central place on the web, either at a provider like Google or Verisign, or elsewhere.

    One such initiative is OpenID where groups of web sites agree to 'recognize' the log-in credentials of other web sites. You will see sites that say you can log in using, for example, your Facebook or Twitter credentials. Google has integrated their applications with a single sign-in. Once you log into Google, you can use many (if not all) Google applications such as the calendar, documents, Wave, Feedburner, etc.
The normal progression of a new product's path to the market is:
  • introduce point solutions
  • then offer a 'swarm' of incompatible solutions that don't work together,
  • followed by ones that interoperate meaning they're not 'native' but do work together
  • and, finally, after technologies, standards, licensing deals, APIs or open source code have been worked out, and the market is mature enough to support profitable pricing models, we will have 'end to end' or 'universal' solutions.
I hope we've attained the 'swarm' stage for tools to manage credentials. Some strategies that people on the social network have confessed to using:
  • Use the same credentials everywhere. This is ok provided those credentials are 'strong.' "Strongness" means username and password that are hard to guess. There are programs that test for credentials so they're not just guessing.
  • Use variants on the same credentials. This is better than 'the same' but the complexity might make it just as hard to manage as altogether different credentials. You can create 'protocols' for yourself like in the paragraph below after 'strong passwords.'
  • Using your browser's 'remember me' is not very secure.
  • Many sites now use your email address as a unique username. That is easy to find out or guess. Many people use their ISP's email address so when they change ISPs, it can become a problem (although ISPs have gotten smart and keep those users active instead of deleting those addresses). So, many web sites now rely 'solely' on your password for authentication.
Here are tips on how to create STRONG usernames and passwords:
  • 8 characters or longer, use one or more capital letter(s), one or more number(s), one or more special characters (some authentication software have limitations such as you cannot use a dot, or underscore)
  • A good way to make strong passwords is to use the first letters of words of song lyrics, such as "Oh Say Can You See! 1776" to create the password: "Oscys!1776"
It's a good idea to build two levels of credentials: high and low. For 'high,' such as to access your online bank account, change the password frequently. You can change only a part of it, for instance, from "OsCys!1776" to "Oscys!1778" for the month of August.

For low level credentials such as your subscription to a newspaper, it doesn't really matter that much if someone accesses your account. I make my username and password the same, such as "mariatseng" as username, and the same string, "mariatseng" as the password.

It is critical that you remember the rules (protocols) you made up to create usernames and passwords, such as 'same username and password for magazine subscriptions' but for important applications, use 'email ID as username and patriotic song for password.' It's ok to write your rules down because whoever is spying still must discern the specifics.

There's lots more to say about this topic, and there are lots of experts, entire fields in computer science for security and encryption.