Last week, Google provided some sage guidance to its users on password protection. These are tips that we hear all the time (well, most of them anyways) but it's surprising how few of us follow these steps across all the websites that matter most to us.
The consumer mindset is also changing. As users get more sophisticated, they're starting to demand two-step verification to better protect their accounts and identities. This is especially evident after a breach occurs. At TeleSign, we have seen opt-in rates for two-step verification increase year over year as consumers get more comfortable and become better educated about the process and benefits.This is solid guidance for consumers, but companies can do more on their side, too. They can start by implementing systems that force people to choose passwords that are easy to remember, but hard to break.Your password should be 12 to 14 characters, but not all sites allow longer passwords (or allow you to use spaces and special characters).Global web properties like Google are also ideally positioned to publish guidelines for developers that strengthen password security. Unfortunately, this does involve some engineering work: changing their source code, running quality assurance tests, and deploying the code. But, it also sends a strong message that these properties care about protecting the identities and online assets of their users.
Enabling Two-Step Verification
As more and more sites, like LinkedIn and Evernote (which launched two-step verification last week) embrace two-step verification, there is growing acceptance that relying only on username and passwords just doesn't cut it.
That's why it's imperative for leading web properties to not only offer two-step verification, but to actively and publicly evangelize it. Because two-step verification is usually an optional service for most consumer web properties, its adoption by users has not been immediate or wide spread. In light of recent hacks, there has to be a steady drumbeat of education and public service announcements like Google's blog post.
All too often, the only time we hear about two-step verification is during the aftermath of a massive data breach or high-profile attack. And usually it's coupled with the standard corporate apology (I'm paraphrasing, but this should sound familiar):
“Some of our accounts were breached. We're not yet clear on the source of the breach or the total number of accounts that were compromised, but we're asking our users to change their passwords. We have immediate plans to strengthen our user security, including rolling out two-step verification.”This has to change. And thankfully, it is… slowly."