A big issue at present is online security and securing your Identity. I have written quite a bit about this in the past, but have always felt that there is one issue that needs more attention. Passwords, and specifically password vaults. Well, those at the topic today, so lets dive in and see if we can make any sense of them.
For the sake of simplicity in this article, I will try to answer these questions. Are password vaults safe? Are they more reliable than just keeping a written list of complex passwords? How do they work? And should you, the regular average everyday parent, switch to one.
Before I can start answering these questions, we first should have a bit of background on passwords and vaults so we can approach these questions from a similar angle. We all know what a password is, but what does it do? Your password is the textual digital key to various specific places online. In the last article, I talked about your PIN, and the PIN is just a really short, really insecure password. Your password to a place online keeps unauthorized users from accessing your data. Because we are creatures of habit and tend to use the same password over again at many sites, these passwords become less secure, also, because shady operators are always looking for ways to exploit our data for profit, they are actively try to build a list of your passwords and therefore access to more of your sensitive data. Now don’t get me wrong, I am not implying that there is some hacker sitting in some smoky back room somewhere with a file on you, actively trying to hack you, but I am also not saying there isn’t. Identity theft is one of the most profitable crimes today, mainly because the chance of being caught are so low and the reward can be very high. Often, these actors are trying to gain access to your information, only to sell it to someone else, and when you use the same password for everything, that makes it surprisingly easy for them. How so? Well, if you use the password, let’s say “Monkey123” at your bank, you can rest assured, that it will never be stolen or sold, it may be brute-forced or simply guessed off the list of common passwords that are published every year, but that bank will never be breached. However, if you use that same password at a second bank, then the likelihood of it being breached is doubled, and even though that likelihood may only be fractions of a percent, you can see how using it over one time makes it less secure. Now factor in that you use this same password at other sites too. If I were trying to hack into your bank account, I wouldn’t try the bank, I would look at the fringe of your online interaction and probe for a site or company that doesn’t care about your data, that doesn’t follow best practices as security goes. I would look to the app list on your last cell phone, I would try to probe the security of the meditation app you log into or the run tracker app you use. These companies routinely go under, selling their digital assets off to the highest bidder, and that includes the user data. Some of the most costly identity frauds have happened not because a stock brokerage or federal bank was breached, but because the victim used the same password at an online game site as they did their bank.
So, with this new information, we should all agree that we need to change our passwords regularly, we need them all to be complex passwords, and we need them to be unique. Now in the past, I have recommended to my friends, family, and clients not to use a vault, but instead, get a notebook, and write all your passwords on it. If you do that it stops being a matter of electronic security and becomes a matter of physical security. I made this recommendation based on two thoughts. First, after being involved in some data recovery for the family of recently deceased, I knew that if the departed had handwritten passwords in a notebook, we could have found it, but if they had used a vault, we would have no idea. Secondly, I just don’t trust tech companies, especially the small software companies that quickly go under and the bigger companies that buy them up. If the last four years have taught us anything, it is not to trust. From Yahoo three times to Equifax, target to Sony, we have seen over the last few years that our data is just not safe and these companies will do anything from keeping us from finding out. In the cases named above, if the companies had tried half as hard to protect our data as they did to protect themselves and cover up after they lost our data, I may not feel that way, but so is life.
With these thoughts and opinions in mind, lets now dive into the questions we set out to answer.
Are Password Vaults safe? This one is a simple answer. NO. Nothing online is entirely safe. Every password vault has vulnerabilities. Some are safer than others, and a few are really amazing, but none are perfect.
Are they safer than keeping a physical list? Maybe, but that depends on which one you choose and how they store your data. One interesting note here is, even if the vault you select is not as secure as your notebook, I have found that people don’t always have the list handy when they need a password and therefore often revert back to the “one phrase to rule them all” mentality, at which point, you are not secure at all. I feel the need to repeat here, if you use a password more than once, each time you use it, the site you are at is less secure, but more importantly so are all the sites you have used it with previously. Reusing passwords is a bad idea, period. However, if you have a Vault software in use, have access to it, and it is easy to use, you are more likely to use it to generate a new, unique password each time, then store it for future access. Doing this makes all your sites more secure. Because of this aspect alone, I have observed that using a quality vault product is more secure long term than using your brain or a book.
How do they work? The short version of this is, thru software interface, they store, generate, and recall passwords to sites you access, if you ask them to. That seems a bit vague, and it is, but here is why. That description is all I have found that these products have in common. Also, that doesn’t speak much to their security. You see, each product has a slightly different way of completing their task, some are better, but most are worse. Understanding their differences is a topic that I have researched at length. I have listened to security specialists, and programmers discuss it, and I have scoured online sources to try to understand better. For simplicities sake, I have broken it down into three different: encrypted on the device, cloud encrypted, and everything else. Just to promote fairness and understanding, let’s call everything else what it really is, the wild west. This is the types I want to discuss first.
What is the “wild west” of password vaults? Well, this is any mobile app, program, UWP app or other
Applications which are written by anyone, to no set standards with the intent of maybe sort of protecting or at least storing passwords. It doesn’t matter to me where they are stored, if they are free or paid, or how they are secured. If no set of pre-published set of standards, deliberate or otherwise was followed in the construction or implementation of the app, it is in the wild west. We see these all the time, camera, calculator or photo library apps that have a secret internal folder that you can keep all your private photos in, your secret apps, your “other passwords” or any other file you don’t want your parents or spouse to see. These apps, because they are usually written by shady operators, are not secure, not encrypted and not protecting your stuff from real bad guys at all. So many of these count on the users’ illicit activity to be a deterrent from exposing the company as a fraud in fear of exposing your own bad choices that they continue to operate. Another reason I consider some of these apps the wild west is, even if they sincerely try to make a quality product responsibly, many of these small software and app development companies don’t make it, and when they fail, their work, hardware, and data, all are sold to the highest bidder. For this reason alone, if there is a company that doesn’t have at least a five-year history in software design I don’t move them to one of the other categories, no matter how good they are.
Lastly, for the wild west, many of these cheap or free apps use your data, your traffic and profile info to monetize the app, which is also inherently insecure. What good is a password manager if it sells my data to the very people who I am trying to protect myself from?
Next, in my opinion of password managers are devices that store and encrypt your data in the cloud. I consider these to be better than the wild west, but still not acceptable to me as a truly secure solution. Lets for the sake of this discussion call these “better than nothing.” Now first it is important to me that you understand that I don’t just lump every password vault product that has cloud access into this category. First of all, to be here, it has to be from a reputable long-term company with a trusted history in security or at least technology; otherwise, it defaults to the wild west. Second, it has to not only have cloud access and storage, but it also has to be encrypted ON THE CLOUD. My best example of this is Apple’s own “iCloud KeyChain” which has proven to be a very trustworthy, secure product. However, the data is stored encrypted in iCloud, and Apple holds the keys to its storage and its encryption. Therefore, If someone were to steal your identity successfully, they could convince Apple they are you and get access to all your stored passwords in your iCloud, unencrypted. This is similar to how the “fappening” happened a few years back. Several unscrupulous actors stole enough data from celebrities to trick iCloud into giving them access. They used that steal photos from those celebrities iCloud account. Had the keychain been available or more prevalent then, they would also have had access to it and could have used that celebrities passwords to access any number of other accounts, from Instagram to tinder… Now, I also need to say that it was basically the fault of the account owner for not securing their accounts with strong passwords and not using two-factor or third-party verification. However, it did happen, and the password vault would have been wide open to the criminal at the time of the breach. Therefore it does highlight just how these types of vaults have security flaws or at least loopholes that can be exploited.
Cloud-based or server-side encryption, as it is called sometimes is VERY convenient. You can always get all your passwords back, there are recovery options, and the company can help you do it as in most cases, they hold a copy, or the only set, of your encryption keys. This is what we call “Fail Safe.” If there is a catastrophe, and you lose your keys or lose access to the system, you can “prove” to the company that you are you, and they can let you back into your vault. Very convenient. However, not entirely secure. These companies can be tricked by others who are trying to defraud you, or they can be hacked themselves and the keys, or the data, can be stolen, compromised, or even destroyed. As I have said so many times in the past, there is a sliding scale between security and convenience, and you can NEVER have both. The more convenient something is, the less secure, and the more secure, the harder to use.
This brings us to what I consider the best kind of password manager, a vault that is end-to-end encrypted, cloud synced, and encrypted ON DEVICE. What does this mean, well, let me spell it out. My tier-one password vault starts with encrypted data on each device. Use two-factor or third-party verification challenges to add a new device. Then, after verifying the device and the user separately, the password manager transmits the encrypted data sync to the cloud repository where all the other authenticated devices can access and download the encrypted data, then, after verifying the data and the user on those devices, unencrypts the data for user access. This system is vital because it is as secure as we can be with the technology we have right now. If a device is lost or compromised, the data is challenging to access as it is encrypted on the device and secured with multiform authentication. The data in the cloud is secure because if the data center is breached the data that can be stolen is encrypted data, and the keys are not stored anywhere in that cloud system, therefore, the thief gets a datastore that is practically unusable. Also, if the cloud is compromised and the hacker just decided to wreak havoc by deleting the datastore all together, there is a local copy on every machine that can repopulate the server as soon as it is re-secured, often with little or no data loss or inconvenience to the client. Lastly, because it is encrypted on the device before it is transmitted to the cloud, all transmission is of encrypted data, therefore if someone is caught with a man-in-the-middle style attack, and the communication itself is compromised, that data is also encrypted, doesn’t contain any encryption key data and is practically unusable.
Now, thru all of this, I have continued to use terms like “practically unusable,” and the reason is nothing, no service, no encryption, no vault, NOTHING is perfectly secure. Everything connected to any computer system anywhere, cold or not, is hackable if the criminal is motivated and funded properly. Therefore as I mentioned above in “better than nothing,” having an active vault and management system for your passwords is essential. Even though it may not be entirely secure, having an automated method of maintaining, storing, creating, and changing strong, complex passwords allow you actually to use them more times than not, and the benefit if doing that outweighs the risk. Frankly, you are far more likely to be hacked by a weak password or a password that you have reused so often it was easily obtained than you ever will be for your vault system, no matter how soft it is, being hacked, and this is the answer to the final question. You do need a password vault. You need a way to keep and manage all your passwords practically, and in a way that will make them easy to use, easy to change, and easy to generate.
If this information I have given today has in any way swayed you to try a password manager, my personal recommendation is LastPass, and they are NOT a sponsor. This is not a paid ad or any kind of advertisement for that matter. I am just using what I find to work best for me and sharing that info with you. There are several out there which are noteworthy, and in a future article I plan to deep dive into why I love LastPass, what I like about the other vaults I have tried, what I didn’t like about each one, and some standard features you can look for in your search for the perfect one for you. My final word to you on this matter right now is this, password managers are a very personal item, like your underwear or a sidearm. They are all different, and each one will fit you just a little different. You will want to choose the one that suits you the best, because the one that protects your junk, is not the highest rated or the most powerful, it is the one you actually choose to use on the daily.
With that said, get out there, for your family’s sake protect your stuff, be responsible and always move with purpose, and always with Kindness and Love.
Categories: Kids and Tech