Sunday, July 12, 2015

A simple way to make your site more secure

Let users have different passwords for web logins and mobile logins.

Why?  Because in my desktop browser I can use a password manager to store strong passwords.  In your proprietary mobile app, I will (almost certainly) have to type the password in manually, and on a tiny keyboard, which makes it almost impossible to use a strong password in that context.  Also, it's actually not necessary to use a strong password in a mobile app because you can use the device identifier as an additional security factor.

And for the love of God, don't deliberately undermine the use of password managers by disabling autofill in your login forms.  (I'm looking at you, Citibank!)


Don Geddis said...

LastPass is a password manager that is free for desktops, but also has a mobile version (for a premium price). That may solve your problem.

Of course, they recently had a security break-in. So nothing's perfect.

Luke said...

It sounds like you might like XKCD's Password Strength comic strip.

stechert said...

1Password does exactly what you want on iOS but I'm guessing you don't use an iPhone.