We spend more of our time online than ever before. To get most anything done, we have to create new accounts on all kinds of websites constantly. The necessities of website authentication can’t be avoided, but the specific ways in which we log in haven’t changed very much over the years.
Usernames and passwords are still the most common way we gain entry to our online accounts, but is it the best way?
(The answer is no, but we won’t get into that yet. We’ll walk through some innovative login solutions at the end of this article.)
The truth is that traditional username/password logins aren’t very secure, especially since many users continue to use weak and compromised credentials. Further, websites don’t enforce truly effective password creation guidelines, instead favoring ease-of-use over security.
There are ways you can start to move your site’s login process in the right direction, making it more convenient and secure for your users.
We’ll cover 6 modern best practices for ensuring your login process is as effective as possible:
- Let users see their password (if they want to).
- Notify users of suspicious behavior.
- Limit the number of password and username login attempts.
- Ditch modern password strength checkers.
- Update your modern password and username login standards.
- Eliminate the need for a new password and username.
1. Let Users See Their Password (If They Want To)
When it’s time to log into an account, we’ve all seen our password appear as a few dots on the screen. Replacing the characters with dots is a process that most websites use to keep your credentials secure from wandering eyes, but it also opens up a new range of vulnerabilities.
Since users aren’t able to see if they’ve made any mistakes, they’re more likely to create a simple password to avoid getting it wrong.
Think about it like this: with a long, complex password, you’ll have to hope that you get all the characters right or you’ll have to retype your credentials all over again, which could make the login process very time-consuming. Instead of encouraging users to create “easy” credentials, simply give them the option to show their passwords as they type.
This allows users to double-check that their passwords are error-free not only when they log in but also as they create a new account. Additionally, users should be able to disable the feature in situations where they don’t want their password to be seen.
Users gravitate toward simple passwords, partly because they’re easy to remember but also because they don’t want to risk typing the wrong thing. Offering the simple option to see the password removes a major UX and security obstacle!
Takeaway: Give your users the option to see their passwords so there is less room for error when entering complex credentials.
2. Notify Users of Suspicious Login Behavior
Monitoring your site’s security should be a continuous top priority. Letting users know when you suspect that their accounts might be compromised is the only responsible way to steward their sensitive data.
By notifying users early, you’ll prevent more accounts from becoming compromised and keep their sensitive information safe from unauthorized users. Users should be informed of a potentially compromised account if:
- There have been multiple login attempts to their account in a short period of time.
- Your organization experienced a data breach.
- Significant changes have been made to the user’s account settings.
- A password change request has been made.
- An account password has been changed.
The best way to notify users is through their linked email address or via text message. But in addition to notifying users, you should also provide them with steps to make their accounts more secure, like these:
- Change their credentials using up-to-date guidelines on what makes a secure password.
- Use social media sign-in options if your website offers this service.
- Update the passwords for other accounts connected to this one.
If you suspect that a user’s account is in serious risk of losing their sensitive information, place a hold on the account until you’ve received additional authentication from the user. By being overly cautious with your users’ information and monitoring the changes that are being made, any unauthorized access can be nipped in the bud before the hacker causes serious damage.
Plus, you’ll establish trust with your users by showing them that you’re putting security first. Not only will this help make your product or service stand out, but it also reduces the odds that your company becomes the victim of a data breach.
Takeaway: Users should know about any suspicious activity so they can act quickly to strengthen their accounts’ security. Use text messages and email to keep people up-to-date.
3. Limit the Number of Password and Username Login Attempts
One of the strategies that hackers use to crack a password is called a brute-force attack. Basically, this means that the hacker will use software to run through every password combination until it gets a match. Since these computer programs can run through billions of guesses every second, the process can take anywhere from a couple minutes to several years depending on the strength of the password in question.
If your website doesn’t have any restrictions on the number of times a user can attempt to log in, this can make the hacker’s job much easier.
Your site must set limits on the number of login attempts and password reset requests per user. To implement this strategy, come up with a few protocols of when to restrict access to an account or take additional steps to prevent malicious behavior on your site.
Here a few things you should keep in mind:
- Give users a maximum of 5 password guesses per minute. Let’s face it: we’ve all forgotten our password and sometimes we need a couple of tries to get it right. However, this limitation will flag hackers using brute-force attack computer programs. After the first 5 attempts, simply block the account for 10 minutes or so.
- Restrict the number of guesses by IP address to 20 per minute. The limit for IP addresses should be higher because shared offices might use the same IP address and have multiple users trying to log in on your website. If you notice a high volume of login attempts from the same IP address frequently, you might need to make the executive decision to block that IP.
- Accept a maximum of 2 password reset requests per account and 5 per IP address. Giving users more opportunities to reset their password can lead to less secure accounts. For instance, a hacker may make several requests to determine which email is linked to the account.
Of course, these are just suggestions. Your organization should adjust these guidelines to fit your specific needs. As an added step, if an account is blocked for any of the reasons above, it’s important to send the user an email notifying them of the situation. That way, if the attempts weren’t made by your users, they can take the next steps to protect their accounts.
Takeaway: By limiting the number of login attempts per an account, you can make the job much harder for hackers trying to gain access.
4. Ditch Modern Password Strength Checkers
A popular way for users to test the strength of their passwords is through online checkers like How Secure Is My Password, Password Meter, and My1Login. Often, you’ll see similar tools on websites when you create a new account. Users can type their passwords into the tool and have it rated on a scale of very weak to very strong. Sometimes checkers measure strength using the time it would take to crack the password.
Unfortunately, these tools can be inconsistent in their results or use outdated password security standards, giving users a false sense of security.
As you can see in the image above, some passwords that are considered strong or okay are actually very weak. This occurs because there is no set standard on what makes a secure password. Plus, many password checkers include standards like:
- Include at least one uppercase letter.
- Use numbers and symbols.
- Create a password of up to 8 characters.
These requirements typically lead to very formulaic passwords like “Jessica1234!” that are quite easy for hackers to guess. Instead of using specific requirements, companies should focus on providing users with universal strategies to make their passwords stronger.
Takeaway: Password strength checkers aren’t the best way to judge security because they’re inconsistent and encourage users to create credentials that follow a guessable pattern. Organizations should focus on educating users about strong passwords rather than enforcing guidelines.
5. Update Your Modern Password and Username Login Standards
How can you encourage users to create better passwords?
First, your organization needs to stay updated on current password security recommendations. As new password-cracking technology is created, these recommendations change from day to day.
Instead of giving users a set of requirements that must be included in their password, provide recommendations based on the most updated information.
For instance, The National Institute of Standards and Technology (NIST) often publishes new password security guidelines. Here is what their latest report suggests:
- Websites shouldn’t require donors to change their credentials frequently.
- Users should create random passwords as they’re more secure.
- Longer passwords should be encouraged.
- Organizations should no longer enforce composition rules like adding an uppercase letter, number, etc.
In addition to these guidelines, organizations should also run any new passwords through a system that checks for the most commonly used passwords and credentials that have already been breached. For instance, if a user tries to create an account using the password “123456,” the system will tell the user to choose a different password.
A shocking 98% of accounts can be accessed using 10,000 of the most common passwords. By preventing users from creating accounts with these passwords, you’re encouraging them to make stronger credentials. If you decide to implement this type of screening method, you’ll have to determine how many passwords you’re going to include on your list.
Takeaway: Organizations should screen passwords against the most used credentials to prevent users from creating weak accounts.
6. Eliminate the Need for a Password and Username
If your organization wants to take the password and username login to the next level, you should consider password alternatives. While there are several different options, the process works very similarly to two-factor authentication (where a key code is sent to your phone or email). The only difference is that no password is required at any step in the process!
Let’s take a look at two different types of passwordless authentication.
[boc_icon size=”normal” icon_position=”left” icon_color=”#0076b6″ has_icon_bg=”” icon_bg=”#ffffff” icon_bg_border=”#ffffff” border_radius=”100%” icon=”icon icon-mail-open-file” margin_top=”” margin_bottom=””]
Email authentication is one of the most universal and cost-effective passwordless login systems to implement — anyone with an email account can use it.
The process works very similar to websites that let users log in with their Facebook account, so the process is already familiar to most users as well.
Here’s how it works:
- When a user wants to enter her account, she presses the login button.
- This triggers a mailto link, which opens the user’s primary email and generates a pre-written message for the user to send.
- The email contains an encrypted key that only the authentication server and the website can decrypt.
- Once the user hits send, the system verifies her identity and grants access to her account.
At Swoop, we use a unique code attached to every email that to verify the user’s identity. If a login attempt is made from a different device or IP address, the system will send the user a text message, which the user must reply to in order to log in.
Essentially, this method prevents hackers from gaining access to your account because they’ll need the credentials to your email account. Even if they get past the first security measure, the system will flag any usual behavior and request a second authentication method via text message.
[boc_icon size=”normal” icon_position=”left” icon_color=”#0076b6″ has_icon_bg=”” icon_bg=”#ffffff” icon_bg_border=”#ffffff” border_radius=”100%” icon=”icon icon-user” margin_top=”” margin_bottom=””]
If you have a cell phone that lets you unlock your screen with a fingerprint, then you’re already familiar with biometrics. From fingerprint, face, and iris scanning to DNA screening, biometrics allows users to gain access to their accounts using their own biology. While very secure for the most part, biometrics still has a few notable security vulnerabilities. An overview of how these systems work can help provide more context.
For the fingerprint authentication, users just have to place their print on the scanner to access their account or make an online payment.
Despite its many perks and conveniences, this option does have its disadvantages.
First, biometrics is costly to implement and can only be used by people that have a compatible device. In order to get operating, organizations have to purchase expensive technology and encourage users to purchase the necessary tools for it to function.
Additionally, recent research shows that replicating fingerprints is possible. Smartphone fingerprint scanners actually record multiple images of portions of your fingerprint. If your finger matches any of these images, you’re granted access. By creating a “master print” with traits common to most fingerprints, cybercriminals have been able to gain access to other people’s accounts. Even face scanning technology can be tricked with a high-quality photo.
Lastly, if another person does access your account, users can’t change their credentials like they would a traditional password.
Takeaway: With several ways to create a modern passwordless login, your organization can eliminate the need for a password and create stronger accounts.
Hopefully, these tips have inspired you to update your password and username login so that the process is more secure and convenient for your users.
If you want more information on password security, check out these additional resources:
- Benefits of Passwordless Authentication: There are plenty of reasons why organizations should start using passwordless authentication. Learn more about the many advantages with this article.
- Questions About Passwordless Login Systems: Still have questions about email authentication or biometrics? This article answers some of the most frequently asked questions about passwordless authentication.