The wind howled on a cold evening . The only thing missing was the crackle of lightening to foreshadow the impending ominous news.
Another website had suffered a breach. Emails, passwords and some other details stolen. It was becoming a regular occurrence, except this time it was different.
My details were amongst the ones breached. The email notification I received read like any other post-breach press release. An apology, a claim they took security seriously; and that I would be wise to change my password on other services.
It got me thinking whether I’d used the same password anywhere else. I spent 2 hours trying to list all the websites I’d ever registered for. I came to the conclusion that I had no idea how many websites or services I’d registered for. Even if I did, I’d not be able to remember if I’d reused my passwords or variations of them.
It wasn’t quite end of days, but I thought it was about time I cleaned up and organised my online presence. So I invested in a password manager. Now I have unique and strong passwords for every website I’ve registered for.
But the story doesn’t end there.
A few months later, I received another breach notification. Except this time it really was different.
In a sequel of epic proportions, the password manager I was using had been breached. Of course I felt guilty for using a ‘cloud-based’ password manager. But the lure of synchronisation between all my devices had been too great to resist. Plus I am too lazy to manually synchronise passwords between devices in a secure manner.
In reality, it’s still harder to break a password manager than having one password to access all the websites you use.
One of the underlying problems lies in how passwords are the cornerstone of authentication. Two-factor and two-step authentication is becoming more commonplace (including for password managers) so should be availed wherever possible.
Nothing is going to be 100% secure. So it’s often better to ask yourself is a particular security measure ‘good enough’? For the majority of people, I’d suggest a reputable password manager and enabling two factor authentication wherever possible constitutes ‘good enough’.
Yeah, I know – that’s a more disappointing conclusion than the Matrix trilogy.
Edit: I said that some password managers can use 2FA. According to Paul Moore, who is a extremely knowledgeable in these matters, it is not the case in the truest of forms in particular when it relates to using a Yubikey. From a risk perspective I feel this is an important point to note particularly for enterprise customers. For consumers and the masses even using a password manager alone will likely put you in a better position than most.
@J4vv4D yep… they use the public section of the Yubi ID to encrypt twice. Encrypting with a “public” PW isn’t 2FA… it’s bonkers.
— Paul Moore (@Paul_Reviews) December 14, 2015
Javvad Malik 