DEV Community

Cover image for There are better alternatives to Password Manager
Nguyen Kim Son for SimpleLogin

Posted on

There are better alternatives to Password Manager

Re-using the same password for different websites is bad in terms of security as if a hacker got his hand on a website's database, he/she will have access to your other accounts.

But generating a different password for each website and remembering them is impossible for a human being ๐Ÿ˜…. That's why Password Managers like LastPass, Dashlane, 1Password, etc are created. Their principle is simple: there's a master password that allows you to manage all other passwords (should we call the other ones slave passwords then ๐Ÿ˜œ?). As loosing this master password will open the port to all our secrets, each password manager has their own multi-factor authentication (MFA) to protect it, ranging from one-time password (TOTP) to printing a secret key that you bring with you all the time.

These tools are gaining more popularity now that users are more and more concerned with privacy but these users are still the minority. One of the reasons is because of the difficult and unusual setup process, especially on phones. But the good news is that now Google and Apple have integrated their own password managers inside Chrome and iPhone/Mac, making the Password Manager concept more accessible to the general public.

So all good right? Not exactly because Password Manager is only half the solution to the security issue. Let me explain.

There are usually two parts to login: the username/email and password. Password Manager only protects the password and not the email. Loosing emails has a less catastrophic effect than the password but if leaked, it can lead to the following consequences:

  • unsolicited emails, aka spams
  • social hack: knowing you are on some websites would provide enough information for a sophisticated social hack.

So what is the real solution? For me the solution to both privacy and security is to have different personas online: one for professional work (e.g. Linkedin), one for friends & family (Facebook), one for selfies (Instagram ๐Ÿ˜„), one for passion (travel, football, etc). These personas are totally independent and knowing one would not reveal the others. The first step to this ideal world is to have different emails and passwords for each website.

Apple has understood that and released the Sign in with Apple button earlier this year. SimpleLogin also works on this challenge by starting with the emails: user can create random email-alias that protects their true personal email. But email is only the first step, next would be other personal information like age, gender, phone number, address, etc. (Disclaimer: I happen to be SimpleLogin co-founder.)

There's also no setup for these SSO buttons: no more additional app to install on the phone and the master password is usually already handled by the browser or the OS directly.

But the challenge is now adoption. Without developers adopting these alternatives and insist staying with the classic username/password, users still need to create their password or use their Password Managers. So make sure to ease your users's life by implementing one of those Social Login buttons ๐Ÿ™.

Please let username/password rest in peace โšฐ๏ธ.


Below are some tutorials for adding those social login buttons in different framework/language:

Top comments (5)

Collapse
 
lbayliss profile image
Luke Bayliss

I have found that a lot of users avoid social login buttons because they "don't see what X has to do with this product or system." X being Facebook, Twitter, Google and so on.

As far as adoption is concerned, do you have any tips on how we can better convey social login as a good alternative?

Collapse
 
sonnk profile image
Nguyen Kim Son

I think whatโ€™s missing until now is the Identity Provider is usually a social network which is much more than a mere Identity Provider. Users will surely have doubts if a tax-optimization company proposes the Login with Facebook button.

If we have a single-focused Identity Provider which devotes itself to the job of authentication people would more likely accept it everywhere. This Identity Provider should be also be trusted of never cross-link data.

SimpleLogin wants to be this Identity Provider but Iโ€™m still working on the how to increase trust part, if you have any idea, please let me know!

Collapse
 
prashanth1k profile image
Prashanth Krishnamurthy • Edited

I moved away from using popular services to log into third-party sites.

  1. The said applications typically want to know more than what they deserve (for e.g. ABC wants access to Contacts but the problem was that ABC was just a feed reader)
  2. Any security vulnerability while sharing a service like Google can be catastrophic since Google is all-powerful - thanks to my phone
  3. If my password for a popular service (e.g. Google) gets compromised, I would never want access to all my other apps to get compromised

So, it was back to password managers for me. I can use different passwords for different applications. And, everything stays encrypted + 2FA secured.

I understand that I risk security if my master password or become a target for SIM jacking - but risks come bundled with compromises and ease-of-use :)

Collapse
 
sonnk profile image
Nguyen Kim Son

Totally agree! Iโ€™m also currently using Bitwarden to manage my passwords because of the lack of a trustful Identity Provider.

What do you think if we have an Identity Provider that:

  • requires websites to explain why do they need special permission (like having access to contacts) and allows users to opt-out easily
  • open source the code so anyone can freely audit and therefore security issues are fixed earlier

SimpleLogin wants to be this Identity Provider that people can trust, both in terms of security and privacy. If you have any idea whatโ€™s missing to make you change your mind (ie not creating accounts for every service) please let me know!

Collapse
 
carcinocron profile image
carcinocron

Social Login is a no-go for me. What happens when facebook shuts down my social login for literally no reason and I have to wait 3 days (or longer, or it's permanent) and my users can't login?

Wait, did I login to this website with my github, fb, or twitter account, or vanilla email?

Do I really have to make a Twitter account just to login to this website?

Social login: now I can't do the my.normal.email+name.of.website@gm... thing to catch who sold my email to spammers.

Way more problems than just using lastpass/bitwarden.