Security vs convenience

We are constantly enhancing our core product MasterVision to make it as user-friendly as we can. But when it comes to online authentication, making things as simple as possible for users isn’t always straightforward, since easy access needs to be balanced with strong security to ensure that our clients’ customer data remains safe.

Forgotten passwords

Forgotten passwords are a nice example. If a user can’t remember their password, it would be easiest for them if we could send it by email – however, any online service which can send you your password is storing it insecurely in plain text. Instead, passwords should be encrypted in a way that is not reversible, so that unauthorized access to the password list would not in itself compromise accounts. Alternative approaches such as sending a special link via email to allow a password reset should also be implemented with care, since email is not secure and so messages may be intercepted in transit.

Password strength

On a similar topic, users should be encouraged to create a reasonably long password including a mixture of different characters (e.g. uppercase / lowercase / numbers), even though this can make it more difficult to remember. This helps to guard against ‘dictionary attacks’ in which common words and phrases are tried out automatically in an attempt to gain unauthorized access to an account. Users should also be reminded not to share passwords between different online services however convenient this may seem, since this reduces the security of each account to that of the least secure service.

Account lockouts

A further useful security measure is for a service to lock an account after a certain number of unsuccessful logins. Although this can cause some temporary annoyance for users if they repeatedly mistype their password and get locked out accidentally, it’s an effective way of blocking attempts at automated password guessing.

IP locking

Where a web service is used by staff in known office locations it is possible to restrict access to a list of trusted IP addresses so that anyone attempting to gain access from outside is locked out. This makes things trickier for users wishing to log in from home or when travelling, who would need to use a company VPN (Virtual Private Network) to sign in via the office, but limiting access in this way provides greatly enhanced security.

Single sign-on

An increasingly popular way of simplifying the login process for users is the concept of ‘single sign-on’ (SSO). Instead of needing to remember numerous passwords for different online services, this allows users to sign in ‘centrally’ and then access specific services without being prompted to log in again. Although convenient for users, behind the scenes this needs to be set up carefully, since the implementation is based on trust across several parties and any weak link may compromise the overall security of the process.

At DataSalon we take data security very seriously and will continue to ensure that publishers can trust us with their customer data whilst working hard to provide a fast and friendly experience for MasterVision users.