Monday, June 22, 2015

How secure are password managers?

I have been wondering when this would happen.



By Dave Johnson MoneyWatch June 22, 2015

Conventional wisdom says that online security is built on several key ingredients, such as an overall awareness (like being savvy about phishing schemes), using strong passwords, and creating unique passwords that are never reused from one site or service to another. Since most people need to log in to dozens of different accounts, the uniqueness requirement virtually mandates a reliance on password managers -- programs like LastPass, Roboform, and Dashlane. These programs securely store all of your passwords in one place, and grant access to all of your sites and services with a single master password.

But what happens if your master password is compromised? Then you haven't just suffered a potential breach for one account -- you've lost the keys to your digital kingdom.

Such a nightmare scenario was brought to mind recently when popular password manager LastPass was hacked last week. In the wake of suspicious activity on its servers, LastPass said that email addresses, password reminders and other security information was exposed.

But not all hacks are equal, and LastPass insists that no data was seriously compromised. Because passwords managed by LastPass are so heavily encrypted, the company insists that no passwords were stolen. Unless users used simple master passwords, it's unlikely that hackers would be able to crack passwords after the fact (Even then, an encryption technique used by LastPass called "slow hashing" should generally make it impossible for hackers to crack the passwords. That said, users of the user are being prompted to change their passwords as a precaution.

Obviously, any server can be hacked, so how much can you trust a password manager? At the very least, much more than any DIY password management strategy.

Emmanuel Schalit, CEO of Dashlane, stands behind password managers. "Sometimes, it's better to put all your eggs in the same basket if that basket is more secure than the one you would be able to build on your own," he said.

Schalit points out that users' actual passwords are not stored on Dashlane servers, so even in the event of a hack like the one that hit competitor LastPass, there are no passwords to be stolen - at least not directly. Even if hackers manager to steal data from the server of a service like LastPass or DashLane, experts agree that your passwords are still quite safe, buried under many, many layers of encryption.

So what lesson should you take from LastPass's incident? In a nutshell, this: The hack proved the general trustworthiness of password managers, since despite the hack no passwords were compromised.
[This time.]

•••••

No comments:

Post a Comment