2.5 Alternatives to using password managers
Using a password manager makes your life much simpler because, rather than having to remember a multitude of passwords, you only need to remember a single password and the computer does the rest.
But what if you forget that password? All of a sudden all of your passwords are unavailable. And what if your password manager’s data file falls into the wrong hands? You’d better hope your password is strong, otherwise all of your passwords are accessible to an attacker. But, what are the alternatives?
For an increasing number of websites it is possible to use your existing online accounts, such those provided by Google or Facebook, to register and log in. This approach for managing users’ account details depends on an authentication mechanism called OAuth (i.e. Open Authentication).
This method of checking a user’s identity requires the website to ask the user’s computer for some proof that the user’s identity has been authenticated by the OAuth provider (e.g., Google). This requires the user’s computer to first contact the OAuth provider where the user can input their username and password. The OAuth provider provides a digitally signed token that confirms the user’s identity.
You will learn more about digital signatures in Week 5 of the course, but for now it is sufficient to understand that in this case the digitally signed token cannot be created or modified by anyone other than the OAuth provider. Once it receives the token all the website needs to do is to check that the signature on this token is valid to confirm the identify of the user.
So using OAuth can simplify your password management because all you need to remember is the username and password for your account with the OAuth provider. However, just as with password managers, if you forget this password you will no longer have access to any of the accounts. Additionally, if an attacker gets access to this password, they will be able to access all the online systems you are able to access using your OAuth account details.
So while password managers and online authentication services like OAuth can simplify the management of your online accounts, they are not complete solutions.
Often an account will ask you for other information such as date of birth, or for memorable information or answers to security questions. For official websites such as government sites, banking, or airline sites the date of birth needs to be accurate. But for most other sites you can make up your memorable security information so that these cannot be worked out from your social media pages, and the answers could be unique for each website, e.g. Mothers name, first school, favourite pet would be different every time. To keep track of all this information you could use a spreadsheet. To keep this spreadsheet secure the spreadsheet should be stored inside an encrypted folder . For this you could use VeraCrypt:. Then, you only need to remember a single very strong password for the secure folder.
Next, you will look at another way of improving the security of the authentication mechanisms you use.