Should You Store Your Passwords In The Cloud?

lp-956One of the relatively easy ways to create longer, stronger, more complex, and totally unique passwords for all your online accounts is to use a password manager service.  Some of the more popular ones include RoboForm, KeePass, and LastPass.  These services create unique bits of gibberish for each site, and automatically apply them to the password form so you don’t have to type them in.  These also protect you from entering your password in a fake web page clone from some phishy scam email link. All you need to work this magic is the one master password to open the password vault.

And this is the one weakness.  If cyber-criminals or anyone else gets you master password, they then have access to all your online accounts.

Which brings us to the recent news (June 15th) from LastPass that their online database of customer information.  The good news is that LastPass has very strong encryption in place that would make compromising the users passwords pretty close to impossible.  None the less, LastPass is advising their users to change their master password.  And if this master password is also a password on any other site, to change the passwords there as well.

When I am teaching my cybersecurity course, or giving a public speech on the topic I am often asked if I use one of these services, and which one I would recommend.  My answer is that I do not use a password service, I have a rather complicated but memorable way to deal with this issue myself.  I am reluctant to put this information into the cloud.  Frankly, I am reluctant to put any information of value in the cloud, but we are really too late to do anything about that, “ALL YOUR BASE BELONG TO US”, all my personal information is already in big hackable databases kept by retailers, medical systems, and the government.

So in my totally trivial way, I am keeping the responsibility for the security of my password trove as the last vestige on online privacy.  The database I am using is my brain.  I did find the explanation that LastPass provided on their website comforting, and if you use the service, there is a high probability you are just fine.

Here is my problem with the cloud in general.  The security is only as good as the company whose server you are on has made it.  Most companies are run by technical morons and troglodytes who can’t read their own email and may be great at reading a spreadsheet but probably can’t create one.  (I got people for that!)  Decisions are made based on cost and ROI, not customer security.  So I don’t trust them to do a good job.  Just look at what happened to the Office of Personnel Management!

More Information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.