OneLogin and Password Managers
An interesting incident this last week brings password managers back to the front of the pile—
OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data. —Krebs on Security
I used to use LastPass, but moved off of their product/service when LogMeIn bought them—my previous encounters with LogMeIn have all been negative, and I have no intention of using their service again in any form. During that move, I decided it was important to make another decision about the tradeoff between an online (cloud based) password manager, or one that keeps information in a local file. The key problem with cloud based services of this kind are they paint a huge target onto your passwords. The counter argument is that such cloud based services are more likely to protect your passwords than you are, because they focus their time and energy on doing so.
First lesson: moving to a cloud based application does not mean moving to a situation where the cloud provider actually knows what you are storing, nor how to access it. In some situations, storing the data in the cloud, and the data format and encryption someplace else, is a good way to build in more layers of security.
I settled on a compromise—a password manager that stores the file in a cloud based storage service, specifically Enpass. This still isn’t the perfect solution, of course—one thing I need to do is to move my cloud storage of my password file to a more secure cloud solution, something I am still thinking through. the biggest issue here is answering the question: how often do I really use my password vault on mobile devices? I am finding the answer to this question is not very often. Further, I still refuse to install any of the extensions on my browsers that will “autofill” anything. It only takes a second to copy/paste the needed fields.
Second lesson: convenience is nice, but you always give up something for convenience. In other words, everything is a tradeoff. If you haven’t found the tradeoff, you simply have not looked hard enough. There are many times where the convenience added is simply not worth the additional risks—but we rarely think in these terms.
I’ve been using keepass for a long while (keepass.info).
It has a mobile app, and a desktop app.
It links into the OS for username and password entry. So, it doesn’t require browser plugins. As a bonus it works for things other than websites.
Synchronisation between devices? Since keepass doesn’t force me to use it’s file sync, I can solve it with a sync solution of choice. Either a cloud service, rsync, or in a pinch email.
And since it’s just a file, no-one has to know what it is. Amongst the thousands of other items I’m syncing. It’s hard to identify. A needle in my own haystack.
Just a very happy user.