Yesterday, Ring announced it would start requiring two-factor authentication for all user accounts effective immediately. And while that’s a great start, it’s not enough. The company can and should do more. The truth is, it’s playing catchup to another security camera company: Nest. If you have to pick, you should trust Nest before Ring, and here’s why.
Security cameras that you put in your home are honestly a scary proposition. Think about it—you’re putting a digital recording system in the most intimate areas of your life, and to access them, all you need is the right username and password. The danger in that concept became all too apparent recently as report after report showed people with Ring cameras who had their accounts compromised.
Update, 2/27: After publishing this article, a Ring spokesperson reached out to us with this statement:
Ring checks the location of IPs for every login and takes action when suspicious activity is detected. In addition, Ring users are notified via email of any new client device that logs into a Ring account with correct credentials so that they can change their account password if they do not recognize the login, which automatically logs out all client devices.
Ring periodically scans various sources, both on the internet and the dark web, for credentials that were compromised as part of a non-Ring related breach. When we discover compromised credentials that match a Ring customer’s current username and password, we disable their current password and email the customer to let them know that their credentials may have been compromised. We let them know that they must change their password immediately in order to log out all client devices and recommend they enable two-factor authentication.
Ring rate limits login requests so that an unusual volume of login attempts from a single IP get throttled. If there are repeated throttling attempts, we ban and block the IP address.
When we asked for Ring documentation we could point to for further information, Ring declined and pointed us to a CNET article that also stated Ring checks passwords for suspicious behavior.
However, CNET also points to testing by VICE that suggested these security measures weren’t in place.
The original article is left intact below.
Nest, on the other hand, has the problem figured out already. The company implemented (or will implement) several features that Ring lacks, like IP logging, password strength requirements, breached password checks, and rapid login attempt prevention.
Google Knows Where You Are Thanks to IP Logging
You may not realize it, but websites know where you are. Your IP Address reveals that info whenever you visit a site. What most sites don’t do is keep track of where you usually are.
But Google does. If you always log in from Washington D.C. but suddenly jump to Florida or China in a half-hour, Google will notice and treat that login attempt as suspicious. It will notify you, and prevent the login until you can confirm that it’s you and not someone who’s trying to log in with a password from a breached database.
While that’s an ability Google first introduced for Google accounts (for Gmail, Google Calendar, etc.), it recently brought the capability to Nest accounts.
Right now, Ring doesn’t check your IP location for suspicious activity. That much is evident from the fact that bad actors were able to log into other users’ Ring accounts (unless by sheer luck they were always very close to the victim).
The company didn’t mention the feature in its latest update concerning privacy and security changes, either. And that’s a shame because it would go a long way in addressing the problem.
Ring Will Let You Use Any Password No Matter How Weak
The first barrier to your account is your password, and it’s surprising to see that Ring will let you use anything. Just to be sure, I created a new account today, and it let me use “password” for my password. That’s the world’s weakest password, and no website, let alone a security company, should allow that.
The worst part is, Ring knows its a weak password. You can see in the screenshot above that Ring says “password” is weak. Yet it let me use it all the same. If you saw someone about to step in front of a truck, you wouldn’t just say, “hey, that’s a bad idea.” You’d stop them from making a terrible mistake. But Ring doesn’t stop you from using a terrible password.
Nest, on the other hand, checks your passwords for basic requirements and won’t let you use easy-to-guess default-style passwords. It almost feels silly to praise Nest for that fact because it’s the bare minimum any security company should do, but Nest does it, and Ring doesn’t, so here we are.
Nest Checks for Breached Passwords
As long as we’re dropping truth bombs on you, here’s another: somebody already compromised that single password you use for your email, Adobe, Disqus, Dropbox, Tumbler, and xkcd. Several times. If you’re using the same password everywhere, you should stop. Please get a password manager.
But we can repeat that fact until the end of time, and people are gonna people and keep reusing passwords. So the next best thing is to protect people from themselves. Nest checks your current username and password against known database breaches. If it finds a match, it’ll let you know and have you change your password.
That prevents hackers from logging into your account using credentials they found thanks to some other site’s bad security. Unfortunately, Ring doesn’t check your passwords against database breaches. If you’re using a compromised username and password combo, it’s up to you to figure that out and correct the problem. We recommend you check HaveIBeenPwned if you haven’t already.
Nest’s Uses reCAPTCHA to Prevent Rapid Login Attempts
If a hacker doesn’t know your password, they can try to guess it. One way is to use a bot to submit hundreds or thousands of passwords in the hope of getting a hit. But that won’t work with Nest (or Google) Accounts.
Nest already implemented reCAPTCHA on its sign-in page. You’ve probably even encountered it before. If you’ve ever had to pick “all the crosswalks” or “all the fire hydrants” from a picture grid, that’s reCAPTCHA. The basic idea is it’s a test “only a human” can solve. It also slows down login attempts even if a bot does somehow pass the test.
In theory, that should prevent mass login attempts from eventually guessing your password. Unfortunately, Ring doesn’t have any protections like that in place. So bad actors are free to guess away until they get it right (especially if you have a weak password, which Ring allows).
Both Offer Two-Factor Authentication, but You’re Better off With Google
Starting yesterday, Ring requires two-factor authentication. Starting in the Spring, Nest will require it for its accounts too. That puts Ring slightly ahead of Nest, but that’s not the whole story.
In both cases, you’ll need to input a one-time-use PIN to log into your account. For Ring, you’ll get that via email or text. For Nest, email is the only option. One-time use codes sent through email or text are better than nothing, but it’s not the most secure version of two-factor authentication.
If you want more security, you should be using an authenticator app tied to your phone. With codes sent to text or email, the bad buys just need to compromise your accounts. But with an authenticator app, they’d need to steal your device (and at that point, security cameras are the least of your problems).
That matters, because if you migrate your Nest account to a Google account, not only do you get more security than Nest currently offers (which is more than Ring), you can secure your Google account with an authenticator app.
Google thinks its accounts are so secure that it won’t require two-factor authentication, unlike Nest, but we think you should turn it on if you have security cameras.
It’s a Matter of Heart
We haven’t even talked about the difference in products, but if you want our opinion, we think Nest cameras are better than Ring cameras, too. The integration with other Nest products (like the Nest Hub) is much tighter than the integration between Ring and Amazon Echo products.
But even if Nest and Ring cameras were exactly the same in terms of quality, it’s clear you should still go with Nest.
Whereas Ring is quick to blame its customers for security problems and slow to implement solutions, Nest (and Google) have been quick to implement solutions and slow to blame customers.
On the rare occasion when something did happen, like a bad integration between Wink and Nest, the company took responsibility and worked quickly to resolve the problem. That’s precisely the behavior you want from your security camera maker.
Nest’s actions show that it’s working hard to earn your trust and secure your accounts. And Ring’s actions feel like the bare minimum. So the choice is clear, choose Nest before Ring for your security cameras.