Whether it’s for work or personal use, the average person spends half of his or her day online. As such, people are managing and maintaining more and more online accounts, but the way we log in and protect our information hasn’t changed much over the years.
Usernames and passwords are still the most prevalent way to gain entry into a personal account, but is it the best way?
If you’re reading this article, you may be familiar with some of the challenges that traditional usernames and passwords cause. The truth is that passwords aren’t very secure, especially since many users continue to use weak and compromised credentials.
Further, organizations don’t enforce effective password creation guidelines; instead, favoring ease-of-use over security. The ideal login process should be both secure and user-friendly.
While we’re not at the point where we can eliminate the password entirely, there are ways you can move your login process in the right direction, making it more convenient and secure for your users.
We’ll cover seven modern ways to optimize your password and username login process:
- Let users see their password (if they want to).
- Make modern two-factor authentication available.
- Notify users of suspicious behavior.
- Limit the number of password and username login attempts.
- Ditch modern password strength checkers.
- Update your modern password and username login standards.
- Eliminate the need for a new password and username.
1. Let Users See Their Password (If They Want To)
When it’s time to log into our account, we’ve all experienced entering our password only to see a few dots appear on the screen. Replacing the characters with dots is a process that most websites use to keep your credentials secure from wondering eyes, but it also leaves more room for error.
Since users aren’t able to see if they’ve made any mistakes, they’re more likely to create a simple password to avoid getting it wrong.
Think about it like this: with a long, complex password, you’ll have to hope that you get all the characters right or you’ll have to retype your credentials all over again, which could make the login process very time-consuming.
Instead of encouraging users to create “easy” credentials, why not give them the option to show their passwords?
This would allow users to double-check that their passwords are error-free not only when they log in but also as they create a new account. Additionally, users should be able to disable the feature in situations where they don’t want to show their password.
Users gravitate toward simple passwords, partly because they’re easy to remember but also because they don’t want to risk typing the wrong thing.
As a result, users can more accurately input their passwords saving them time. Plus, it will eliminate some of the obstacles that keep users from creating stronger credentials.
Takeaway: Give your users the option to see their passwords so there is less room for error when entering complex credentials.
2. Make Modern Two-Factor Authentication Available
We can’t stress it enough: passwords are becoming obsolete and organizations need to work on ways to secure information that doesn’t rely on user-generated credentials.
Modern security methods like two-factor authentication are the solution. These login methods provide a second layer of security by verifying the user’s identity twice.
Many websites have already made this an option for users. For example, when a user signs into their Gmail account (with two-factor authentication enabled), the individual will be asked to enter a five-digit code that was sent to his or her mobile device.
Essentially, two-factor authentication requires users to log in twice:
- During the account creation process, users will be asked to link their accounts with a cell phone number.
- When users want to enter their accounts, they will log in with their username and password.
- Afterwards, the system will send a text message with a unique code. The user will have to enter the code to access their account information.
This extra layer of security makes it difficult for unauthorized users to enter your account. Even if a hacker is able to crack your password, the person will also need access to your cell phone to complete the process.
While the process does take an additional step, more users are realizing that online security should be at the forefront of the login process.
Takeaway: Two-factor authentication adds another layer of security to the modern password and username process. Even if a user’s password is compromised, hackers will have a difficult time entering the account.
3. Notify Users of Suspicious Login Behavior
Helping users should be your number one priority, and letting them know when you suspect that their accounts might be compromised is a great way to establish trust.
By notifying donors early, you can prevent more accounts from becoming compromised and keep their sensitive information safe from unauthorized users.
As such, users should be informed of a potentially compromised account if:
- There have been multiple login attempts to their account in a short period of time.
- Your organization experienced a data breach.
- Significant changes have been made to the user’s account settings.
- A password change request has been made.
- An account password has been changed.
The best way to notify users is through their linked email address or via text message if they have a mobile phone linked to their account. That way, users can get the notification quickly and take the necessary precautions to secure their accounts.
In addition to notifying users, you should also provide them with steps to make their accounts more secure. You can suggest that the user:
- Change their credentials using up-to-date guidelines on what makes a secure password.
- Use two-factor authentication if your website offers this service.
- Update the passwords for other accounts connected to this one.
If you suspect that a user’s account is in serious risk of losing their sensitive information, you can also place a hold on the account until you’ve received additional authentication from the user.
By being overly cautious with your users’ information and monitoring the changes that are being made, any unauthorized access can be nipped in the bud before the hacker causes serious damage.
Plus, you’ll be able to establish trust with your users by showing them that you’re putting security first. Not only will this help make your product or service stand out, but it will also decrease the odds that your company becomes the victim of a data breach.
Takeaway: Users should know about any suspicious activity so they can act quickly to strengthen their accounts’ security. Use text messages and email to keep people up-to-date.
4. Limit the Number of Password and Username Login Attempts
One of the strategies that hackers use to crack a password is called a brute-force attack. Basically, this means that the hacker will use software to run through every password combination until it gets a match.
Since these computer programs can run through billions of guesses every second, the process can take anywhere from a couple minutes to several years depending on the strength of the password in question.
If your website doesn’t have any restrictions on the number of times a user can attempt to log in this can make the hacker’s job much easier.
Therefore, your organization should set limits on the number of login attempts, password reset requests, and two-factor authentication requests (if applicable).
In order to implement this strategy, you’ll need to come up with a few standards on when to restrict access to an account or to take additional steps to prevent malicious behavior on your site.
Here a few things you should keep in mind:
- Give users a maximum of 5 password guesses per minute. Let’s face it: we’ve all forgotten our password and sometimes we need a couple of tries to get it right. However, this limitation will flag hackers using computer programs to make billions of guesses per second. After the first 5 attempts, block the account for 10 minutes.
- Restrict the number of guesses for an IP address to 20 per minute. The limit for IP addresses should be higher because shared offices can use the same IP address and have multiple users trying to log in on your website. If you notice a high volume of login attempts from the same IP address frequently, you might need to make the executive decision to block that IP.
- Accept a maximum of 2 password reset requests per account and 5 per IP address. Giving users more opportunities to reset their password can lead to less secure accounts. For instance, a hacker may make several requests to determine which email is linked to the account.
Of course, these are just suggestions. Your organization may need to adjust these guidelines to fit your specific needs.
As an added step, if an account is blocked for any of the reasons above, it’s important to send the user an email notifying them of the situation. That way, if the attempts weren’t made by your users, they can take the next steps to protect their accounts.
Takeaway: By limiting the number of login attempts per an account, you can make the job much harder for hackers trying to gain access.
5. Ditch Modern Password Strength Checkers
A popular way for users to test the strength of their passwords is through online checkers like How Secure Is My Password, Password Meter, and My1Login. Often, you’ll see similar tools on websites when you create a new account.
Users can type their passwords into the tool and have it rated on a scale of very weak to very strong. Sometimes checkers measure strength using the time it would take to crack the password.
Unfortunately, these tools can be inconsistent in their results or use outdated password security standards, providing users with a false sense of security.
As you can see in the image above, some passwords that are considered strong or okay are actually very weak. This occurs because there is no set standard on what makes a secure password.
Additionally, many of the password checkers include standards like:
- Include at least one uppercase letter.
- Use numbers and symbols
- Create a password of up to 8 characters.
These requirements can lead to very formulaic passwords like “Jessica1234!” that are quiet easy for hackers to guess.
Instead of using specific requirements like this, companies should focus on providing users with universal strategies to make their passwords stronger.
Takeaway: Password strength checkers aren’t the best way to judge security because they’re inconsistent and encourage users to create credentials that follow a guessable pattern. Organizations should focus on educating users about strong passwords rather than enforcing complexity guidelines.
6. Update Your Modern Password and Username Login Standards
As we mentioned in the last section, password checkers aren’t the best way to judge the strength of your account credentials. So what can you do to encourage users to create better passwords?
First, your organization needs to stay updated on current password security recommendations. As new password cracking technology is created, these recommendations will change.
Instead of giving users a set of requirements that must be included in their password, provide a few recommendations based on the most updated information.
For instance, The National Institute of Standards and Technology (NIST) often publishes new password security guidelines. Here is what their latest report suggests:
- Websites shouldn’t require donors to change their credentials frequently.
- Users should create random passwords as they’re more secure.
- That longer passwords should be encouraged.
- Organizations should no longer enforce composition rules like adding an uppercase letter, number, etc.
In addition to these guidelines, organizations should also run any new passwords through a system that checks for the most commonly used passwords and credentials that have already been breached.
For instance, if a user tries to create an account using the password “123456,” the system will tell the user to choose a different password.
A shocking 98% of accounts can be accessed using 10,000 of the most common passwords. By preventing users from creating accounts with these passwords, you’re encouraging them to make stronger credentials.
If you decide to implement this type of screening method, you’ll have to determine how many passwords you’re going to include on your list.
Takeaway: Organizations should screen passwords against the most used credentials to prevent users from creating weak accounts.
7. Eliminate the Need for a Password and Username
If your organization wants to take the password and username login to the next level, you should consider password alternatives. While there are several different options, the process works very similar to two-factor authentication. The only difference is that no password is required!
Let’s take a look at two different types of passwordless authentication.
Email authentication is one of the most universal and cost-effective passwordless login systems to implement as anyone with an email account can use it.
The process works very similar to websites that let users log in with their Facebook account, so the process is familiar to most users as well.
Here’s how it works:
- When a user wants to enter her account, she will press the “Login” button.
- The action triggers a mailto link, which opens the user’s primary email and generates a pre-written message asking the user to send the email to access her account.
- Once the user hits “send,” the system will verify her identity and grant access to her account.
At @Pay, we use a unique code attached to every email that will verify the user’s identity. If a login attempt is made from a different device or IP address, the system will send the user a text message, which the user must reply to in order to log in.
Essentially, this method prevents hackers from gaining access to your account because they’ll need the credentials to your email account. Even if they get past the first security measure, the system will flag any usual behavior and request a second authentication method via text message.
If you have a cell phone that lets you unlock your screen with a fingerprint, then you’re already familiar with biometrics. From fingerprint, face, and iris scanning to DNA screening, biometrics allows users to gain access to their accounts using their own biology.
Since everyone is unique, biometrics is one of the most secure passwordless login options. Plus, the process is really simple to understand.
For the fingerprint authentication, users just have to place their print on the scanner to access their account or make an online payment.
Despite its many perks and conveniences, this option does have its disadvantages.
First, biometrics is costly to implement and can only be used by people that have a compatible device. In order to get operating, organizations have to purchase expensive technology and encourage users to purchase the necessary tools for it to function.
Additionally, recent research shows that replicating fingerprints is possible. By creating a “master print” with traits common to most fingerprints, cybercriminals have been able to gain access to other people’s accounts. Even face scanning technology can be tricked with a high-quality photo.
Lastly, if another person does access your account, users can’t change their credentials like they would a traditional password.
Takeaway: With several ways to create a modern passwordless login, your organization can eliminate the need for a password and create stronger accounts.
Hopefully, these tips have inspired you to update your password and username login so that the process is more secure and convenient for your users.
If you want more information on password security, check out these additional resources:
- Benefits of Passwordless Authentication: There are plenty of reasons why organizations should start using passwordless authentication. Learn more about the many advantages with this article.
- Password Security Ultimate Guide: Looking for ways to strengthen your password? This guide has everything you need to know about passwords and passwordless login systems.
- Questions About Passwordless Login Systems: Still have questions about email authentication or biometrics? This article answers some of the most frequently asked questions about passwordless authentication.
Comments are closed.