Imo one key point is missing: Don't give users the option authenticate via Google or Facebook. While it may be convenient at signup, it creates an unneeded dependency and confusion if you forget how you log into a certain site.
A lot of our users would complain that writing on our product support forum was hard.
Since we added those option, the friction is gone.
People who need help that can be boiled down to "Did you plug it in? Is the battery full? What about turning it off and on again" have a hard time understanding how to register an account. Thinking of a strong password and then figuring out how to click on the confirmation link in their emails is apparently the hardest thing to do.
Sounds like a scenario where that friction would actually be desirable. If they got far enough to file a complaint they can obviously handle it, they're just lazy complainers, which is exactly the type of user I'd rather didn't make it to the support page anyway. Like you said, their problem usually boils down to plug, charge or reset and they were just too lazy to search the knowledge base for basic troubleshooting, something that should be possible without logging in. Them getting in to re-ask an already answered question is just a waste of someone elses time and useless noise on the support forum.
A few years ago there was a glutton of articles telling us that we cannot do authentication correction, and to just offer single-sign-on via Facebook/Google instead.
Now everyone is back to doing their own home-grown, and Facebook/Google authentication is seen as bloat.
> A few years ago there was a glutton of articles telling us that we cannot do authentication correction, and to just offer single-sign-on via Facebook/Google instead.
A few years ago, there was much less understanding of the privacy implications of centralized authentication, and much more trust of big tech companies like Facebook and Google.
So everyone is happy with depending on a password manager? Because having 100 different passwords and having to rotate those isn't going to happen any other way.
Speaking personally: I trust a random password per site more than I trust every site I use to handle my Google credentials correctly. Login with Google seems like it is begging for a phishing attack.
There is no reason anyone needs 100 different passwords and/or those passwords to rotate. This is terrible advice, you don't need it and you shouldn't do it.
As of current, haveibeenpwned hasn't found any breaches connected to my current email address, which I switched to around three years ago. Which is to highlight: Most breached password data is really, really old. A surprising number of breaches come via an email address I was only signing up for accounts on more than six or seven years ago.
Furthermore, most of your accounts don't matter. Things like your email, your bank, your web hosting, need to be secured well. An account you used once to sign up for a newsletter does not. Don't save your credit card info in every single web store you log into, and your security on those accounts don't matter either.
Focus your security and your password uniqueness and complexity on accounts that matter, and stop caring about ones that don't. People have reached security overload after being told all of their accounts must be secured, and then offloaded the problem to a bad solution.
That's dangerous advice. Having access to some (or a combination of) "less-secure" accounts could allow an attacker to get enough personal information to escalate privileges through reset fields, social engineering in customer support, or just plain weird interactions between accounts.
Besides, most people have enough "important" logins (social media, email, amazon, bank(s), computer, cloud accounts) and some have lots that there's no good reason not to use a password manager. Even with 6 passwords to remember (plus a 7th for all the non-sensitive accounts), it's hard to make them unique enough, and if you end up with a system it's pretty easy to infer the rest of the passwords.
Imagine this scenario: you are an average person. You have 90 accounts each requiring a password [1]. 5 of them you deem sensitive enough to have their own password and 85 of them share a password. One of those 85 is compromised. Now you'll spend all day stressing out whether one of those 85 accounts, in hindsight, is actually something you care about at least to some extent. Desperately trying to remember whether there were any other accounts that you should've secured better. (Anecdotally, this has happened to me before a password manager: I had different logins for important stuff and the same for non-important stuff; it's also happened to most of my friends at some point.)
Or you can use a password manager. Once you do have a password manager, you can go ahead and have unique random logins for everything, there's no extra effort needed. 2FA is another important security measure.
In regards to rotation, I agree, and NIST doesn't even recommend forced rotation anymore[2].
It's a good point, things like forcing rotation are the worst. It doesn't prevent re-using other passwords, is hugely frustrating.
This is also true for complex password patterns. It's so dumb. Don't make me use special characters, period. Otherwise it's going to be a dollar sign at the end, which is a common pattern, so now the theoretical complexity gains are vastly reduced.
It's also frustrating when I've entered more than the required amount of characters (sometimes a lot more) and your stupid form validation still insists I need more character classes. Why exactly? Stop making password rules suck, if they do, I'll assume your infosec department is completely useless.
The issue is that password managers are a huge weak point and a significant compromise in your security. Generally password managers have some sort of master password, which unlocks access to all of your other accounts. Why bother setting different passwords for every account if one password unlocks them all anyhow?
Password manager security flaws are also a dime a dozen, and none of them have been without significant flaws at some point or another. None of them are operated by companies with an ironclad reputation for security. And if you don't want to have a lot of issues going from computer to computer to phone, you more than likely will do what many password managers suggest, which is storing your password data in the cloud, which is even more laughable, because now we've secured all of your accounts with a single password, and then put the data that password unlocks out on the Internet where anyone can try to crack it.
Which is to say, if you really want to manage your passwords, don't use a password manager. Use a scrap of paper in your wallet, or a notebook, or a sticky note. Because all of those are vastly less attackable than a password manager, because they require physical access or physical proximity and probably the will and risk of accosting your person to get. Password managers, on the other hand, are somehow both the stupidest security idea we've ever come up with, and the thing that every "security expert" currently recommends ad nauseum. I don't understand it at all.
Now, sure, all those accounts you don't care about, if you want to randomize their passwords and store them in a password manager and say it's "better" than using a handful of common low security passwords, more power to you. I'm going to say you're wasting your time and effort (and probably money), but you're not hurting anything.
The problem is when you entrust that same password manager to your high security accounts like your email, your banking, etc. Accounts that deserve far more security than a single point of failure with some cloud app written by some company that doesn't do much else.
Because that one password is pretty long and secure, and you enter it only on your own machine, into one known binary, no-where else.
It strikes me as sensible advice.
Connecting your password manager to the browser for auto-fill already compromises the security, granted, but what other flaws have there been otherwise?
I actually totally agree with you. It's insanity. I never made the "jump" to LastPass/BitWarden/etc. because it always left a bad taste in my mouth to have one password that would crack my entire online presence.
I don't think that's true, it's just never been implemented in a way that wasn't bad.
You could, for instance, let people have a public key to identify themselves. Your browser or other client could automatically submit your chosen key for you (or expose a button for you to submit it), then there's a challenge and response, and you're logged in. Your account details are stored with the public key as the id.
My security self hates this idea, because a single point of failure is not a good design. How would the key be revoked if lost? Replaced? This seems to necessitate a CA-type infrastructure (like TLS certs). Not something I'm comfortable trusting any corporation or government with.
If the account is that important to your life, then there are probably other identifying information associated with it, credit card numbers, addresses, etc. Do what you do today when identities are stolen: contact the company, prove you are who you say you are, and the'll let you assign a new key to your profile.
Otherwise, who cares? Gen a new key and get on with life.
In that case, I don't mind, since that dev tool probably has access to my GitHub account anyway. Like Netlify, which automatically re-deploys the site when the watched repo+branch is updated.
One way I've seen sites mess this up is when they allow me to sign up using a Google account on my Android phone, but don't offer Google login on their web page. Makes for very confusing UX!
If a service offers multiple ways to authenticate a single account, I don't see much problem with it. Google killed their standards-based logins? No problem, use one of the other providers you've linked the account with.
