Should You Store Your Passwords In The Cloud?

lp-956One of the relatively easy ways to create longer, stronger, more complex, and totally unique passwords for all your online accounts is to use a password manager service.  Some of the more popular ones include RoboForm, KeePass, and LastPass.  These services create unique bits of gibberish for each site, and automatically apply them to the password form so you don’t have to type them in.  These also protect you from entering your password in a fake web page clone from some phishy scam email link. All you need to work this magic is the one master password to open the password vault.

And this is the one weakness.  If cyber-criminals or anyone else gets you master password, they then have access to all your online accounts.

Which brings us to the recent news (June 15th) from LastPass that their online database of customer information.  The good news is that LastPass has very strong encryption in place that would make compromising the users passwords pretty close to impossible.  None the less, LastPass is advising their users to change their master password.  And if this master password is also a password on any other site, to change the passwords there as well.

When I am teaching my cybersecurity course, or giving a public speech on the topic I am often asked if I use one of these services, and which one I would recommend.  My answer is that I do not use a password service, I have a rather complicated but memorable way to deal with this issue myself.  I am reluctant to put this information into the cloud.  Frankly, I am reluctant to put any information of value in the cloud, but we are really too late to do anything about that, “ALL YOUR BASE BELONG TO US”, all my personal information is already in big hackable databases kept by retailers, medical systems, and the government.

So in my totally trivial way, I am keeping the responsibility for the security of my password trove as the last vestige on online privacy.  The database I am using is my brain.  I did find the explanation that LastPass provided on their website comforting, and if you use the service, there is a high probability you are just fine.

Here is my problem with the cloud in general.  The security is only as good as the company whose server you are on has made it.  Most companies are run by technical morons and troglodytes who can’t read their own email and may be great at reading a spreadsheet but probably can’t create one.  (I got people for that!)  Decisions are made based on cost and ROI, not customer security.  So I don’t trust them to do a good job.  Just look at what happened to the Office of Personnel Management!

More Information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment