Re-using the same password for different websites is bad in terms of security as if a hacker got his hand on a website's database, he/she will have access to your other accounts.
But generating a different password for each website and remembering them is impossible for a human being 😅. That's why Password Managers like LastPass, Dashlane, 1Password, etc are created. Their principle is simple: there's a master password that allows you to manage all other passwords (should we call the other ones slave passwords then 😜?). As loosing this master password will open the port to all our secrets, each password manager has their own multi-factor authentication (MFA) to protect it, ranging from one-time password (TOTP) to printing a secret key that you bring with you all the time.
These tools are gaining more popularity now that users are more and more concerned with privacy but these users are still the minority. One of the reasons is because of the difficult and unusual setup process, especially on phones. But the good news is that now Google and Apple have integrated their own password managers inside Chrome and iPhone/Mac, making the Password Manager concept more accessible to the general public.
So all good right? Not exactly because Password Manager is only half the solution to the security issue. Let me explain.
There are usually two parts to login: the username/email and password. Password Manager only protects the password and not the email. Loosing emails has a less catastrophic effect than the password but if leaked, it can lead to the following consequences:
- unsolicited emails, aka spams
- social hack: knowing you are on some websites would provide enough information for a sophisticated social hack.
So what is the real solution? For me the solution to both privacy and security is to have different personas online: one for professional work (e.g. Linkedin), one for friends & family (Facebook), one for selfies (Instagram 😄), one for passion (travel, football, etc). These personas are totally independent and knowing one would not reveal the others. The first step to this ideal world is to have different emails and passwords for each website.
Apple has understood that and released the Sign in with Apple button earlier this year. SimpleLogin also works on this challenge by starting with the emails: user can create random email-alias that protects their true personal email. But email is only the first step, next would be other personal information like age, gender, phone number, address, etc. (Disclaimer: I happen to be SimpleLogin co-founder.)
There's also no setup for these SSO buttons: no more additional app to install on the phone and the master password is usually already handled by the browser or the OS directly.
But the challenge is now adoption. Without developers adopting these alternatives and insist staying with the classic username/password, users still need to create their password or use their Password Managers. So make sure to ease your users's life by implementing one of those Social Login buttons 🙏.
Please let username/password rest in peace ⚰️.
Below are some tutorials for adding those social login buttons in different framework/language: