Last week, Google provided some sage guidance to its users on password protection. These are tips that we hear all the time (well, most of them anyways) but it’s surprising how few of us follow these steps across all the websites that matter most to us.
- Use a different password for each important service. If the bad guys steal your username and password from one site, they can then try to use your same credentials across several other sites where you might have an account. So, set up unique passwords for each web service to mitigate the damage if they get access to one of your accounts.
- Make your password hard to guess. In a database of 32 million real passwords that were made public in 2009, analysis showed (PDF) only 54% included numbers, and only 3.7% had special characters like & or $. Making your passwords longer or more complicated makes them harder to guess for both bad guys and people who know you.
- Keep your password somewhere safe. Google recommends leveraging the password managers baked into many web browsers or explore third party options.
- Set a recovery option. Having an up-to-date recovery phone number or email address is the best thing you can do to make sure you can get back into your account fast if there is ever a problem.
The consumer mindset is also changing. As users get more sophisticated, they’re starting to demand two-step verification to better protect their accounts and identities. This is especially evident after a breach occurs. At TeleSign, we have seen opt-in rates for two-step verification increase year over year as consumers get more comfortable and become better educated about the process and benefits.
This is solid guidance for consumers, but companies can do more on their side, too. They can start by implementing systems that force people to choose passwords that are easy to remember, but hard to break.Your password should be 12 to 14 characters, but not all sites allow longer passwords (or allow you to use spaces and special characters).
Global web properties like Google are also ideally positioned to publish guidelines for developers that strengthen password security. Unfortunately, this does involve some engineering work: changing their source code, running quality assurance tests, and deploying the code. But, it also sends a strong message that these properties care about protecting the identities and online assets of their users.
Enabling Two-Step Verification
As more and more sites, like LinkedIn and Evernote (which launched two-step verification last week) embrace two-step verification, there is growing acceptance that relying only on username and passwords just doesn’t cut it.
That’s why it’s imperative for leading web properties to not only offer two-step verification, but to actively and publicly evangelize it. Because two-step verification is usually an optional service for most consumer web properties, its adoption by users has not been immediate or wide spread. In light of recent hacks, there has to be a steady drumbeat of education and public service announcements like Google’s blog post.
All too often, the only time we hear about two-step verification is during the aftermath of a massive data breach or high-profile attack. And usually it’s coupled with the standard corporate apology (I’m paraphrasing, but this should sound familiar):
“Some of our accounts were breached. We’re not yet clear on the source of the breach or the total number of accounts that were compromised, but we’re asking our users to change their passwords. We have immediate plans to strengthen our user security, including rolling out two-step verification.”
This has to change. And thankfully, it is… slowly.