This week, a password security company announced that it had been the victim of what they described as a “network compromise” by an unknown intruder. In other words, the company had been hacked.
This event has created a frenzy of speculation in the press.
The nature of this data breach is unique in that it exposed master passwords and customer data used to gain access to a multitude of user passwords that the security company manages.
You see, the company specialises in providing password management services to alleviate the need for remembering countless passwords for both business and personal app use.
Having to remember all types of ever-increasing complex passwords just to conduct your daily affairs is a real problem for many people today.
So, this particular company offers its customers a cloud-based vault to store all of their passwords and automatically link to the appropriate app to expedite login. This is a great solution to a major information security headache.
However, as this week’s announcement demonstrated, there is a serious downside. While the password security company could safely say that all the passwords stored in its vault were safe, it could not say the same for the master passwords used to access the vault by each customer.
Evidently, the hackers gained access to the master passwords as well as other customer identifying data. The company’s suggested resolution to the problem is to have each customer change their master password. This is not a very comforting message for the customers impacted.
Security solutions like these have the very real potential to create major risks in our new digital world. So, how can situations like this be avoided?
A great way to start is to first understand the potential risks of a digital solution through the lens of its analog equivalent. In this case, the analog equivalent is the use of the traditional safety deposit box within a physical bank vault.
Keys to each box are provided to each customer and the bank has a key. Both keys must be used to access the contents of the box.
This analog approach is similar to using multi-factor authentication. Two keys are required to access the vault – the master password (customer safety deposit box key) and a code generated by a third-party app (bank key).
While the password security company does offer multi-factor authentication, it is not required for use by its customers. After this week’s announcement, that may be a decision they reconsider.
By John A. Wheeler - Research Analyst, Gartner