Cloud Based Password Manager Hacked

OneLogin, a cloud-based password manager, revealed it an unauthorized intrusion on June 1st. While there are constantly breaches, even at security companies, this one pushed me to consider outlining pitfalls of password managers.

Password managers have been around for years and are heavily utilized for their convenience.  It is important to remember how they work.  In short, they are a small groups of encrypted hashes either within a database or a set of registry keys that are only protected via a single password.

Some corporations have moved to syncing their active directory credentials with services such as OneLogin so that their users only have to change and remember one set of credentials throughout a varying ecosystem of cloud based applications. Convenience often comes at the price of security.

The most common password managers such as those built into Firefox and google chrome are convenient, but even they have pitfalls.  Browser password managers are synced across multiple devices and thus are only as secure as the weakest of those devices.  Furthermore, the hashes are stored in each company's cloud, making them susceptible to breach there as well.

While I don't expect everyone to quit using password managers, I encourage you to consider choosing one that mitigates some of these security flaws.  Most notably, the top feature to look for in a password manager: Two-factor authentication.  Whether it is a bio-metric scan or an integration with a mobile  security app, two-factor authentication makes it much more difficult for an intruder to harvest all your passwords via a single password.

A list of a few password managers to consider:

  • LastPass: Can implement two-factor authentication through usb devices, google authenticator and others. It makes you audit your passwords. You can chose to store your passwords online or locally only.  Supported on nearly every platform.
  • KeePass: Open source, integrates directly with many sites and services, pushes unique, strong passwords. Local, but can be exported; can protect the database through multiple password layers.
  • 1Password: Suggests strong passwords when creating and changing your password, can separate your passwords into different vaults. An easy piece of software to use.