Privacy Blog

"Friends don’t let friends get spied on.' – Richard Stallman, President of the Free Software Foundation and longtime advocate of privacy in technology.

Password Manager Onelogin Hacked, Exposing Sensitive Customer Data

2 Comments

If you use Onelogin, you need to read the article in ZDnet at http://zd.net/2rZ1pgs.

Comment: Similar weaknesses exist in all password managers and is one of the reasons why I have never used a password manager. The idea of keeping all your passwords in one place simply strikes me as a very bad idea.

Any password manager automatically becomes a single point of failure. Anyone with the know-how could potentially hack into the password manager in a manner similar to what happened to Onelogin and, as a result, can extract all of a password manager’s data. In addition, if the password’s database becomes lost or corrupted, you lose everything! There are better ways to keeping your passwords safe.

Some people keep all their passwords in one file or on one piece of paper. Doing so is undoubtedly worse than using a password manager. Once again, a single file or single piece of paper is a single point of failure and is easily compromised or lost.

In today’s world, memorizing all the required passwords is impossible. The myriad of passwords required need to be recorded, preferably not on paper. However, the requirement of recording passwords in itself is a security weakness.

I would suggest recording passwords in SEPARATE files and encrypting each file so that only you can read it. Then distribute those files in some manner that you can find them easily. I would never cluster all my passwords in one place and never record them in unencrypted form.

If passwords are recorded in files, never use a file name that has the word “passwords” in the title. Use a file title of HJTefs.abc or Cat’s medicine.enc or something similar. You need a title that will not attract attention from a hacker that accesses your computer remotely.

If you really want to keep all your passwords in a single place, at least store them in an encrypted flash drive, then have backups of that flash drive stored someplace else (not on your hard drive).

Categories: Online Privacy & Security, Software

2 replies

  1. John Conner
    June 3, 2017 • 1:16 am

    I use KeePassX on Linux Mint which is encrypted. I don’t enter the user names there and I just keep the title as vague as possible.

    Like

    Reply ↓
  2. John Conner
    June 3, 2017 • 1:18 am

    Oh, when I’m traveling. I paste all the passwords that I need on protectedtext.com. Again, no user names.

    Like

    Reply ↓

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.