Storing Usernames and Passwords on Mobile Devices – Best Practices for Mobile Security

finjanmobileBlog, Mobile Security

Storing Usernames and Passwords on Mobile Devices

Safe protocols for user credentials and passwords usually recommend that you have a different password and if possible, username (though many sites insist on you using an email address) for each of your accounts. So if you have a lot of them, this can soon mount up to a lot of obscure combinations of letters, numbers, and keyboard symbols to remember.

Speaking of keyboards, users habitually moan about the lack of usability associated with the virtual or actual keypads found on even the best designed mobile devices – which can make typing in all those obscure combinations a real chore.

The convenient and obvious answer is to have some way of automatically calling up these passwords and user credentials on demand. The “AutoFill” function of many web browsers and web-enabled apps is one option – but this requires each browser or program to store your data in its own separate cache or portion of your device storage.

Having a central repository for all the usernames and passwords on your mobile device is the better option. But keeping that repository safe requires you to take some proactive security measures and common sense precautions. We’ll be discussing some of those, now.

Storing Usernames and Passwords on Mobile Devices – Take Physical Measures To Protect Your Device

The first set of precautions you should take concern the actual physical safety of your mobile device. If someone steals your phone or tablet or is allowed uninterrupted access to it for any length of time, chances are that any information you have stored there will effectively become someone else’s property.

So keep your device on your person and/or within your line of sight, at all times. And enable some form or combination of password, PIN, or lock screen protection, to grant access to your device’s desktop.

There’s a wide array of third-party lock screen/security apps available to supplement the on-board access controls offered by mobile operating systems like Android or iOS. Many of these apps are free of charge, and run the spectrum from patterns or swipe mechanisms, through to biometric controls involving fingerprints, or voice and facial recognition.

Make Sure The Data Isn’t Stored As Plain Text When Storing Usernames and Passwords on Mobile Devices

If you are going to store usernames and passwords on your mobile device, doing so in plain or clear text isn’t the way to go. For one thing, if a hacker gains physical access to your device (either by theft or acquiring a discarded machine that wasn’t properly wiped), clear text offers no protection.

Some form of encryption is recommended, to scramble your passwords into an unreadable form before they’re stored.

Set Master Password Access Across Multiple Apps

Modern web browsers include some options and settings for storing and retrieving passwords and user data spanning several accounts. These settings typically carry over between desktop and mobile applications.

If you’re happy to rely on the rudimentary password management offered by your device’s web browser, you’ll need to protect the management system with a strong master password or PIN – one that can’t be easily guessed or cracked.

The standard “strong password” rules apply: Between 8-15 characters, a mix of lower and uppercase letters, numbers, and symbols. Changed, periodically.

Use A Password Manager App for Storing Usernames and Passwords on Mobile Devices

A dedicated password manager application is a safer and more versatile option than relying on your web browser. Integration with your web browser is a standard feature, with your username and password being captured when you log into a secure website, and typically replayed (“AutoFilled”) each time you return. The better ones will capture your credentials when you first create an account, then offer to update this information each time you change your password.

Some password manager apps will also fill in passwords for secure applications, or allow you the option of capturing all the data fields on a page (which can be useful when visiting websites that don’t use a secure protocol or have a non-standard layout). Many of these apps will also generate strong passwords for you – which you won’t have to remember, as the app fills them in for you. What you will have to remember – and set – is a strong master password for the manager app, itself.

There are several paid and free password manager options available. LastPass, KeePassX, and Sticky Password are among the leading names.

Subscribe To A Cloud Password Encryption Service

An alternative to a device-based manager app is the equivalent feature set, delivered as a service via the cloud. These subscription-based services will typically store and retrieve your passwords and user credentials, and may additionally allow you to store other information such as bank account and credit card details, or notes.

Cloud password management services typically use AES-256 bit encryption (one of the strongest standards available), and may also offer a staged user verification process using biometric information or a security code sent to your phone, for example. Free and paid (premium) options exist, and leading services include LastPass, Dashlane, and 1Password.

Use Multi-Factor Authentication

A staged verification process should be extended to your online activities and credentials storage, as a whole. Web-based email, secure sites, and social media platforms now offer multi-factor authentication as a standard option – and it’s one that you’d be wise to adopt.

Multi-factor authentication adds one or more additional stages to your login process, requiring additional information to supplement the entry of your username and password. Typically, this might be an SMS text code sent to your designated mobile phone number, a “Captcha” field on the web page, or asking you to click an access button on your mobile app (if, for example, you’re trying to log in from an alternate location or device).

The point of multi-factor authentication (often referred to as two-stage, or two-factor, because only two stages are often involved) is that having a username and password isn’t enough to gain access to your account. There has to be additional input, to prove that it’s actually you, who’s trying to gain access.

Watch Those Notifications

If you have sensitive information in your account that you don’t want displayed on your mobile device screen (such as your medical data, from a healthcare app), restricting the display of push notifications on your device is another option to consider.

Take a review of the apps on your device that deliver push notifications to your home screen and status bar, and remove this permission from those ones that might disclose information you’d rather that casual observers didn’t see.

Allow Remote Location & Device Wiping

There are geo-location security apps available that can track the position of your phone at any given time – a great help if a device is lost or stolen. Some also offer the option of remotely deleting all data on a device that has gone missing after a certain time, or on your specific orders.

These apps are particularly important in corporate environments, where Bring Your Own Device (BYOD) policies and the storage of sensitive data on numerous devices can put enterprise data at risk.

Have An Analog Backup

One of the things you should do if you’re storing usernames and passwords on your mobile device is to have a synchronous backup of this data on an alternate device, such as your laptop or desktop system.

Another is to go pre-digital and make a handwritten or word-processed backup listing of your credentials and passwords, which you should keep locked up in a secure location. In the event of systems failure, this will give you something to fall back on. And the process of compiling the hard copy list will help improve your memory of all the accounts involved – especially if you change your passwords on a regular basis.

Share this Post