Cloud-based password managers: a threat?
Cloud-based password managers: a threat?
Introduction
If you’ve read our article about strong passwords and adopted this good habit to make your accounts as secure as possible, you’ll soon be faced with the question of how to store your passwords.
While it’s easy to remember weak passwords such as “12345”, it’s almost impossible to remember all the strong passwords you use. Especially if – and this is the right thing to do – you decide to use a different one for each of your accounts.
In that case, you’ll be looking for ways to save your secret codes and access them quickly from anywhere.
In fact, saving in plain text in a notebook is not only insecure, it’s also unsuitable for use on the move. Because we’re increasingly being asked to login from our cell phones.
This trend has prompted most people to adopt a password manager.
Passwords manager
For reasons of convenience and security, we don’t recommend using your browser’s built-in password manager. It’s much more practical to store your secret codes in a solution that lets you access them from anywhere, without depending on a particular browser. What’s more, keep in mind that a web browser is not among the most secure software installed on your machine.
To meet this need, there are a number of password manager solutions that offer to store your secrets in the cloud. So you can access them from all your devices, wherever you are in the world. It’s always safer to use applications dedicated to a particular function, so you can benefit from maximum security, even if this sometimes comes at the expense of user comfort. That said, copying and pasting a password from a password manager is not an insurmountable constraint either.
But are these solutions, practical as they are, really secure?
Passwords manager can be risky
As we shall see, not so much. And that’s why we’re emphasizing the practice of personal password management. A notion we’ve already touched in this other article .
The most talked-about company in this field is undoubtedly LastPass. It lets you store a large number of secrets, share them, and access them from anywhere in the world, synchronized between your devices. The company even offers a family package, so that every member of your household can benefit from their own secure safe for their logins and other secrets.
Problem: for a company whose core business should be the security of the data entrusted to it, LastPass has been the victim of several major flaws, so we strongly advise against using its services today.
In the latest attack, a very large amount of data (both encrypted and unencrypted) was stolen. Although the encrypted data (the contents of the user’s digital safe) cannot be read by the attackers, they could be motivated to try and bruteforge the user’s master password (the key to the safe). This major data leak was made possible by the hacking of a LastPass developer’s personal computer, on which vulnerable software was installed. This flaw enabled the attackers to install a keylogger and gain access to cloud storage reserved for a handful of LastPass employees.
Needless to say, even if the data harvested is not immediately usable by the hackers, many users must have broken out in a cold sweat when they read the company’s official report on the attack.
In reality, using these password managers is always risky. Since you need to have sufficient confidence in the company offering you this solution’s methods of storage and internal security.
What’s more, the interconnection of such software with your telephone also poses a problem. A number of researchers have warned of the risks associated with a flaw in Android’s autospill function, which could lead to your credentials being captured by a third party. The flaw affected a number of popular password management programs, including LastPass (again), Dahslane, 1Password, Enpass and Keepass2Android.
The solution : apply self-custody to your passwords and use Seedkeeper
This being the case, it would seem that the only real way to keep track of your passwords is to store and manage them yourself .
That’s what we propose with SeedKeeper. Keep your secrets in a dedicated, secure device, and in offline storage that makes your data far less vulnerable to most standard attacks.
SeedKeeper is a PIN-protected physical device that encrypts all your data on a secure element. Your passwords therefore benefit from the same security as those of your crypto wallets when you use a hardware wallet with recognized security, such as Satochip.
You can store several hundred passwords in your SeedKeeper. And you can also save your most important secrets, whether seedphrases from your crypto wallets or any other important data in text format.
So you’re always in control of your data and your secrets. SeedKeeper’s code is open-source, so you can always consult it transparently.
With Seedkeeper, you’re back in control of your secrets.