Increasingly, we are living more and more of our lives online. What used to be in person interactions are more likely to be virtual. Rather than going to the bank, you can deposit a check by taking a picture of it with your mobile phone (along with some magic from a specially-designed mobile app from the bank). Make investments from your browser. Speak with a doctor via video conference for a virtual office visit from the comfort of your own home rather than spending the morning in a waiting room full of other sick people sharing their germs. Buy that hot new gadget online and have it show up at your door a few days later.
Great stuff — and it all relies on a system of trust for verifying identities of the various parties based typically on our ability to enter a presumably “secret” password that no one else knows when prompted.
But what if you aren’t the only one who knows your password? You didn’t tell anyone what it was (please, tell me you didn’t!) and you didn’t write it down where others could read it (I know you’re smarter than that, right?). Instead, you stored it in an encrypted software password vault of some sort and gave yourself a pat on the back for this technical accomplishment.
Great! That’s what you should do. However …
… no system is perfect and that includes encrypted password stores. If you use a Mac, Keychain is a convenient choice. It makes things easier still if you have multiple Apple devices by synchronizing passwords via iCloud so that your iPhone and iPad get updated when you change a password on your MacBook.
Or you could use LastPass or 1Password, which provide similar functions across Apple and non-Apple platforms like Windows and Android. There are plenty of other similar choices too but let’s keep this discussion simple and just look at these.
Well, guess what? In the past week, stories have come to the forefront that all of these solutions are vulnerable to attack.
- Glen Fleishman of MacWorld.com does a nice job of explaining the technical details of the LastPass hack and the protections in place to deal with the risk in this article.
- Glen also covers the latest vulnerability disclosure in OS X and iOS that expose Keychain to hacking in this article.
- 1Password makers tried to reassure their users in this blog post.
None of these revelations should come as a surprise. OK, so maybe you didn’t know the specifics but the point is any operational system is vulnerable. The goal should not be to eliminate all risk (although, that would be nice), but rather, to bring risks down to an acceptable level by mitigating the ones we can and avoiding or accepting the ones we can’t.
Quoting from the 1Password blog:
There is a saying […] “Once an attacker has broken into your computer […], it is no longer your computer.” So in principle, there is nothing that 1Password can do to protect you if your computer is compromised.
Very true. The lesson here is not that we shouldn’t use password managers. The alternative is worse. The lesson is that none of these systems are sufficient to keep everything secure. That means you have to protect your system from malware by:
- not installing software from questionable sources
- not clicking on attachments that you aren’t expecting
- not using trivial passwords
- not neglecting to install patches both to the operating system and apps
- not storing passwords in the cloud but, instead, syncing across devices via a wired or secured wifi connection
Also, choose to set up 2-factor or 2-step authentication on the systems that support it. These typically involve sending you a text message with a seemingly random number that only you will know if you have pre-registered your phone and keep it in your possession (and free from malware too). These systems aren’t perfect either, but they make the job of cracking your castle harder for the bad guys and that’s a good thing for you and your online kingdom.