Last night, Opera Software reported a security breach affecting all users of their web browser’s built in password manager. 1.7 million users had both their synchronized passwords and their authentication passwords leaked.
Opera, to their credit, appears to be acting relatively swiftly to notify their users, sending out emails to users of its sync service and posting on their security blog about it within a week of detecting the issue, but therein lies the problem. While they may have detected the attack this week, we have no way of knowing when the attack originated, or even the true extent of the attack, and neither do they. LinkedIn was hacked in 2012, and didn’t discover the full extent of it until 2016 when someone posted an extra 117 million emails and unsalted passwords online. You can only positively identify that specific files were accessed; you can’t guarantee that other files weren’t accessed. You can’t prove a negative.
If you want security, you need to act under the assumption that any and all files can be and have been accessed. You need to design your system around the idea of Defense in Depth. At an enterprise level, it’s not good enough to just have system monitoring software to detect when the intrusion happens. You need logs to discover what was accessed. You need encryption (and good encryption at that) and properly hashed and salted passwords to make it harder for the data that has been taken to be read. You need firewalls, and virus scanners, and regular security audits, and you always need more. There’s no such thing as too much security; the only real limits are cost and time.
So how do you decrease the amount of time and money that you spend to implement your security solution? How do you improve your security solution without going over budget?
By using proven solutions that have been extensively tried, tested, and improved. “Given enough eyeballs, all bugs are shallow“, and the place with the most eyeballs is the open source world. It doesn’t matter how smart you think you are; you are not going to create a better encryption or hashing system than the ones that teams of the world’s leading experts on encryption and hashing have worked together to create and improve (and you would have to spend a ridiculous amount of money to even come close). More importantly, even if you somehow do manage to create something almost as good, if you keep it closed source you would soon fall behind, as bugs are found, reported, and fixed for the open source equivalents by both independent developers, and people from the millions of companies that use the software. Some major companies even have entire teams dedicated to looking for (and reporting) bugs in other people’s software to help patch them.
In the Information Security world, there’s a saying: “Security through obscurity is no security at all.” The idea of security though obscurity has been rejected by experts for hundreds of years, and yet many companies still practice it. Even Opera in their attempt to notify their users of the breach is avoiding answering certain questions (some of which they have answered previously) that would help verify the severity of the breach. Opera is claiming that revealing “how authentication passwords on [their] systems are prepared for storage … would only help a potential attacker,” but it couldn’t be further from the truth. Revealing what encryption system is used does not help break it, as long as a secure system is used and it is properly implemented. In fact, one of Opera’s main competitors, Firefox, extensively details their password sync encryption methods specifically for the purpose of helping improve the security of it. Even worse, it appears that more was leaked than Opera was initially letting on, with comments from Opera’s representatives revealing that the browsing histories and bookmarks of users of Opera Sync may have been leaked unencrypted as well.
And therein lies the risk in trusting your passwords to a closed source service. You can’t verify what security measures they are using, you can’t verify that they are being implemented correctly, you can’t verify that they are properly monitoring for intrusions, etc. It creates a situation where you’re hoping that they did everything correctly, and have no recourse if they didn’t (and as with LinkedIn up above, you may not find out that they didn’t until many years down the line). If your password for a site leaks and you use that same password anywhere else, then your accounts on all of those sites are now compromised.
Using a closed source service also runs the risk of a formerly trustworthy company becoming a bad actor. If a company is bought by another company or is in financial distress, you may see substantial changes in their corporate culture. This could potentially lead to the company in question pushing an update to the software which could decrypt the passwords (without the user knowing), and send them in plain text to the company for uses that the user may not be pleased with. In certain circumstances, you may even see a company deploy a modified version of the application to target specific users (as the FBI recently attempted to force Apple to do).
The only software that a security researcher will typically recommend is software that has been routinely audited by multiple trustworthy third parties, and the only way to realistically achieve that is by being open source. Anyone can look at the code, find bugs, and submit patches for them (whereas with closed source software, people can only find bugs, not fix them). Thankfully, there is a fantastic offline password manager. KeePass has routine security audits, and to this date has yet to see an exploit that didn’t require full administrative access to a computer while you are logged into KeePass (which highlights the importance of Defense in Depth and protecting against things like keyloggers).
KeePass solves many of the problems associated with both closed source password managers and with not using password managers. It avoids issues associated with reusing the same password across multiple sites by allowing you to generate pseudorandom passwords unique to every site you use. It reduces the risk of weak passwords by reducing the number you have to remember down to only a couple (or even just one if you’d like). It is managed locally, removing the risk of an update being pushed without your knowledge. It can be synced across devices using whatever service you’d like (Dropbox, Google Drive, OneDrive, MEGA, etc.). It’s not the ‘be all end all’ of security, but it is an important link in the chain, and helps provide some extra peace of mind.
Do you use a password manager? Have you had bad experiences with website hacks? Let us know!