What’s the correct attitude to have when you know everyone is out to get you? Paranoia. Uh huh. That paranoia. When everyone wants what you have, a little paranoia might help you get through the day.
We’re talking passwords. They’re not safe anywhere or on any device. If someone wants your password they can get it. Threat of death works. So does hacking. The latter is on the increase and the latest to feel the wrath of doing passwords wrong is OneLogin, the password service which claims the following:
Secure Access for Every User, Every App, Every Device
OK, we know that’s not completely true, but it’s close enough. They’re talking relative security, most users, and major devices for the masses; not Pentagon stuff.
OneLogin is much like a number of these online and app password managers which give you access to your personal login ID’s, usernames, and passwords on just about any device worth using.
OneLogin simplifies Identity and Access Management (IAM) for a more efficient, secure enterprise, delivering an identity management software solution in the cloud trusted by thousands of customers
Uh huh. Sure. Secure? Except for all the unauthorized accesses made by hackers.
How about these headlines from The Register?
Identity management outfit OneLogin sugar coats impact of attack
Sugar coating? That doesn’t sound so sweet.
Blog reveals breach. Email warns of data compromise. Support page says crypto at risk
Oh boy. Is nothing safe anywhere? No. That’s the problem. Here’s what OneLogin’s customers have to do.
- Force a OneLogin directory password reset for your users;
- Generate new certificates for your apps that use SAML SSO;
- Generate new API credentials and OAuth tokens;
- Generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors;
- Update the API or OAuth credentials you use to authenticate to third-party directories like G Suite (Google), Workday, Namely, and UltiPro;
- Generate and apply new Desktop SSO tokens;
- Recycle any secrets stored in Secure Notes;
- Update the credentials you use to authenticate to 3rd party apps for provisioning;
- Update the admin-configured login credentials for apps that use form-based authentication;
- Have your end-users update their passwords for the form-based authentication apps that they can edit, including personal apps;
- Replace your RADIUS shared secrets.
Maybe there should be a Step 12: Do not use OneLogin again. Don’t use any so-called secure system that allows your private data to be decrypted. That alone is mind boggling.
The problem here is multi-fold. Too much trust in a single password management and login system is one. I understand the need for security must be matched up with convenience. I’ve used 1Password for years because of that, but I’ve had second thoughts about putting all my username and password information into a single app, and a single system, and certainly not into one that is well known and a likely target for hackers.
In addition to the macOS and iOS Keychain, and 1Password, I’ve added LastPass, EnPass, SafeInCloud, and a couple of others on a test basis, and spread my valuable information across each one, and each one with a different password to gain entry.
Yes, it’s less convenient. But, yes, it’s more secure because nothing is absolutely safe anywhere, so a multi-pronged approach seems logical to spread the risk. We should understand up front that passwords are not actually safe regardless of where they are, but risk can be mitigated– even with Mac, iPhone, and iPad– by spreading the love.