Nowadays, people need to remember huge amounts of passwords. For those passwords to be truly secure, they need to be complex enough that they can’t be remembered. Furthermore, it is essential that those randomized passwords – filled with upper and lower case letters, numbers, and symbols – be different for every single account.
Having the same password for more than one account means that if one password is compromised, other logins can also potentially be penetrated. In a time when hackers often sell hacked databases of passwords and credentials on the deep web, the need for robust, complex, and unique passwords has never been more important.
One popular solution for this problem is the use of a password manager. A password manager allows people to access all their unique, strong passwords, in one place: with just one master password. The result is that people (or businesses) can have control over many passwords – while only having to remember one strong password.
In theory, this is a fantastic way of protecting multiple accounts with strong passwords that would otherwise be impossible to remember. The problem, however, is that if someone manages to hack that password manager: they get everything.
It is for this reason that security experts have long espoused the perils of using password managers, likening the use of the popular solution to keeping all your eggs in one basket. This is particularly true of cloud based solutions.
Worst Case Scenario
For hackers, getting access to a treasure trove of passwords is the equivalent of having hacked multiple accounts in one go. For this reason, password managers have long been considered an immensely attractive target for cybercriminals.
Now, those concerns have been proven correct, with news that the popular password manager OneLogin has suffered a devastating penetration. OneLogin is a firm that is based in San Francisco, it provides a cloud-based password management service for both apps and online accounts.
Last Wednesday, the company admitted that it suffered a hack that has put its customers – including some 2000 businesses – passwords at risk. In an email sent to its subscribers, OneLogin said the following:
“OneLogin believes that all customers served by our US data center are affected and customer data was potential compromised.”
In addition, the firm announced that although it didn’t know for sure, it is possible that the hacker had not only managed to hack into accounts but could also have decrypted them – revealing customers’ passwords.
A blog post made by the firm’s chief information security officer, Alvaro Hoyos, read as follows,
“Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount.
While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented.”
Among those affected is a university in the United States called Elon. Elon is a private university that is situated in North Carolina. On Saturday the university sent an email to all of its students warning them to change their passwords after it was revealed that 1500 accounts may have been affected by the OneLogin breach.
Students were given until 1 pm EST to change their passwords or they would be locked out of their accounts. According to the university, the OneLogin breach affected authentication between Elon students and the Syncplicity backup service that the university uses.
According to the email, although passwords had been compromised no evidence had surfaced that data stored on Syncplicity had been accessed.
It has also been reported that Microsoft Office 365, Google Analytics, LinkedIn, and Slack, use OneLogin. As such, users of those services (particularly from the US) may want to update their passwords.
According to a spokesperson for OneLogin, the firm is trying to “verify the extent of the impact of this incident.” In addition OneLogin has come forward with the following information:
“Our review has shown that a threat actor obtained access to a set of [Amazon Web Services, or AWS] keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US.”
According to the statement the firm noticed unusual activity approximately seven hours after the original breach is belived to have occurred. At that time they “ shut down the affected instance as well as the AWS keys that were used to create it”.
However OneLogin has confirmed that the hacker “was able to access database tables that contain information about users, apps, and various types of keys,” during the time that they were inside OneLogin’s systems.
What to do if you have been affected
So far, OneLogin hasn’t revealed any information about how many people might have been affected by the cyberattack. However, the company has urged its users to take a few steps in order to protect themselves:
- Customers need to change their passwords,
- Customers need to generate new API keys for their services.
- New OAuth tokens (used for logging into accounts and to create new security certificates) must also be created.
The firm has also revealed that information stored in its Secure Notes feature (which also suffered a hack last August) – used by IT administrators to store sensitive network passwords – may have also been decrypted.
Financial fraud analyst at Gartner, Avivah Litan, has come forward to reinforce the dangers of using online password managers like OneLogin. “It’s just such a massive single point of failure,” the expert commented before adding,
“This breach shows that other [cloud-based single sign-on] services are vulnerable, too. This is a big deal and it’s disruptive for victim customers, because they have to now change the inner guts of their authentication systems and there’s a lot of employee inconvenience while that’s going on.”
On its website, OneLogin says that a large number of well known multinational corporations such as ARM, Dun & Bradstreet, The Carlyle Group, Conde Nast, and Dropbox are all customers. With that in mind – and considering the amount of passwords that might have been affected – this is definitely one of the most sensitive cyberattacks we have seen this year.
Online VS Offline Password Managers
While Online password managers can be considered more convenient, the drawback is that passwords are stored on a server that can be accessed via the internet. As this hack proves, the trouble with this is that if hackers gain access to the database they gain access to huge amounts of passwords.
Here at BestVPN.com we tend to recommend services such as KeePass which provides an end to end encryption solution for password management. These do require more setup, because the software must be downloaded and installed locally. However, the outcome is that stored passwords are encrypted with a key that can be kept on Dropbox, for instance. This means that it is still possible to access passwords when away from home (using a master password).
This massively reduces the risk of them being targeted by hackers. It also solves the problem of purely offline password management that isnt available outside of your computer (unless you also put the keys on a USB stick – and then other problems arise – such as losing it, not being allowed to use it on public computers, and even syncing problems). Sadly, despite being the best solution, password managers with end to end encryption are still the rarest kind
Sadly, despite being the best solution, password managers with end to end encryption are still the rarest kind. This is because users need to remember a master password -and if they forget it (or lose the key file) – they are locked out of all their passwords. Due to the fact that many people find it hard to remember a strong master password this often becomes a problem, and deters password management firms (like OneLogin) from selecting this much more secure system.
Finally, there is always something to be said for keeping a well stocked book shelf. Having a bookshelf doesn’t just make you look well read when you have a dinner party, but it also allows you to pull out a random book, open it to page 93, and write down all your passwords and usernames.
This might not be ideal for people living in shared accommodation, and may not even be suitable for those with a jealous lover. However, for many people this is a solid solution that removes all chances of hackers making off with your passwords. In addition, consumers are advised that wherever possible they should use two factor authentication.
Opinions are the writer’s own.
Title image credit: Pressmaster/Shutterstock.com
Image credits: BeeBright/Shutterstock.com, faithie/Shutterstock.com