You can now sign into websites using public keys derived from your crypto wallet — an order of magnitude more secure than using a password.
What better way to celebrate World Password Day (May 7) than with a new solution from the cryptoworld to get around insecure passwords and phishing attacks?
The lnurl-auth protocol allows users to sign into various accounts by receiving a QR code with a special message. This allows them to use a public key associated with their wallets to derive a unique key that is only compatible with the domain they’re trying to access. This key would authenticate that they are the owner of the account.
Podcaster Marty Bent said the system meant websites no longer had to look up your information on a centralized database that is susceptible to being hacked:
“No more remembering unique passwords for separate sites. No more creating unique email addresses for different services. No more having to worry about the site you are interacting with having your data stolen from them. Pure, self-sovereign control of your accounts across the Internet. No usernames, passwords, or identifying information other than the public key that is derived upon sign up.”
Tips for the present, not the future
That’s something to look forward to but until it becomes widespread you’ll need to find other ways to keep your passwords secure.
According to a survey from Proofpoint's 2020 State of the Phish Report 44% of respondents in the United States used a password manager — a protocol which stores passwords and can fill them in forms when needed — for their online accounts, which is well above the 23% global average.
Crispin Kerr at Proofpoint said password managers are the most secure option:
“...we’ve found that many [users] typically reuse passwords or don’t change them on a regular basis because password management is inconvenient. Additionally, many find it difficult to remember increasingly complex passwords for the multitude of online services they are using today, which includes things like company’s intranet login, bank accounts, streaming services accounts, government services accounts, etc. For these reasons, we highly recommend a password manager.”
While password managers are the most popular method of password protection in the U.S. respondents from other countries like Australia, France, Germany, and the U.K. were more likely to rely on manually entering different passwords every time they logged into an account.
An average of 16% of respondents worldwide admitted to using the same one or two passwords for all of their accounts, something which is not “advisable from a security perspective.”
Improve password strength
Proofpoint also offered tips for people to improve their password strength, including avoiding any personal information like birth dates, names of pets, and names of friends or family. Passwords should be “at least 12 characters, with two or three different types of characters in unpredictable places” and users should “avoid placing capital letters at the beginning or digits or symbols at the end.”
If the user is someone with a bad memory for passwords, passphrases can be a lifesaver. Create a sentence and use the first letter or two of each word as your password, mixing in capital letters and numbers as needed. For example:
we can’t eat 15 New York pizzas, but those 5 people can
Protect your wifi with a password too
As more people transition to working from home through their own wifi networks or ones recently set up with which employees may be unfamiliar, the likelihood of phishing attacks through spoofed login portals increases.
The Proofpoint report found that 95% of global workers already had a home wifi network, but only 49% of people protected it with a password. In addition, only 31% changed the default password on their router.
Phishing attacks, whether they fool victims into logging into a fake online portal or clicking on a URL in an email, can cause remote workers to “deliver even the most complex and unique passwords directly to the attacker.”