Don’t Get Locked Out of Your User Accounts
Some account security and recovery best practices
Do you have an idea how many user accounts you have? Thanks to my password manager I know that I have at least 107!
I’ve deliberately written “at least”. I have certainly forgotten about accounts registered with old email addresses – that might not even exist anymore – and even the ones registered with my current email accounts before I was using a password manager. I did a poll on Twitter and only 13% of people say they know all sites for which they registered an account.
Almost all people that replied to this tweet have 100 or more accounts. This might seem a lot, but this Dashlane Research published in 2016, confirms this number. The number of accounts registered to one email address at that moment was 130 in the US, 118 in the UK, 95 in France, and 92 for the rest of the world.
We can draw some important conclusions:
People have a lot of accounts, and probably a lot more than they’re aware of
Email accounts are (one of) our most valuable online assets. They contain a lot of personal data and on top of that they’re used to register accounts for many other websites.
It’s important to properly secure all known accounts by using password best practices and enabling additional security measures when offered by a website. This helps preventing malicious account takeovers or lockouts.
Tip: search in your mailboxes for account registration or password reset emails to discover forgotten accounts.
As we will see account lockout doesn’t always have to be malicious. Whatever the reason, once you‘re locked out of an account it might be very hard to regain access.
Prevent account takeovers and lockouts
There are many ways in which miscreants can hijack user accounts. Once they have access they can do all sorts of harm and easily lock people out of their accounts if they want to.
The success rate of these attacks can be traced back to the fact that even to this day, many users protect their accounts with a weak and often reused password. That’s why the best possible defense is using strong, unique passwords for every account and activate two factor authentication (2FA).
Configuring 2FA is not without risk. When you’re no longer able to enter the verification code at login you’re, at best temporarily, locked out of your account. Be sure to have a fallback mechanism in place!
Another best practice is to limit the applications that you grant access to an account. When they get hacked it can lead to your account being hacked as well.
It’s also not advised to use social logins. A lot of sites offer the option to login with for instance your Google or Facebook account. This token based authentication is not without any risks. When these tokens are stolen – this happened to Facebook recently – it can lead to other accounts being compromised.
If you can no longer access an account, recovery options are your last resort. This article describes how someone got locked out of his Twitter account. His account got hacked and to regain access Twitter asked him to prove he was the legitimate holder of the email account associated with his Twitter account. Because he didn’t have access to this email account and didn’t update his Twitter profile with his current email address he was locked out of his account.
This shows that it’s in your own best interests to configure recovery settings for your accounts, and likely important, regularly review that your account settings are up to date.