Online Security Is More Than Password Management
Recently, @Lastpass was hacked which set off numerous debates around the blogsphere. Lastpass, Apple Keychain, Keepass, and others make storing all of your passwords simple and easy but many detractors from this model are quick to point out we are putting all our eggs in one basket. The incident made me take a look at my Lastpass account and I asked myself “Do I really need to store all my goodies in one safe?” In other industries, security needs are assessed and things are put into classes with labels of security and varying models of trust. So, the realization arrived in my head that online security is much more than good passwords and storing those hard to know passwords in the strongest safe ever.
I already have a tiered approrach to online security. Some passwords remain in my head and are never stored in a vault. I use multifactor security options where they’re available. So, perhaps I’ll move some more sensitive things out of Lastpass that I really access when sitting down at home like tax and banking sites. Why did I put these in the cloud when I don’t need to access them from anywhere anyway?
But you know, I thought of something else. What if someone got my bank account credentials? He or she could add a new payee and send out a check. The bank only alerts via email that a payee was added. It doesn’t require verification. So, if this payee was added while I was asleep or on a cruise ship, then someone I didn’t authorize could have fun with my dough. If my email on record required an approval link, then the attacker would have been stopped in his or her tracks. If my bank used my PGP key for emails, like Facebook does, I would have another level of protection. I use multifactor on by bank email account, too so I try to put up as many hurdles to accessing my accounts as I can.
So, the Lastpass hack really didn’t make me think about Lastpass so much as it made me question how hard the business I use are really trying to protect me. My credit card issuer offers a picture as part of the login challenge, but it is always the correct picture. I know this because I can’t remember the picture I chose anyway and I always hit “Yes, this is my challenge picture,” and it lets me in. So, I might have numerous places where I offer an attacker multiple obstacles, but many companies I do business with don’t. Should they get the login and password, the game’s over.
I think the industry can do a lot more than just store our passwords in the toughest safe and call it a day and I am not convinced many are doing online security well even though they appear to at first glance. There are simple options that can be employed to ensure steps like paying out to a new payee is strongly verified. Let’s not look to our password manager as our security saviour and let’s lean on our business partners to ask “Can we offer strong security even if an attacker has the login and password?”