Even password managers get compromised
While I try to keep my bulletins to you at the once a week level, when major computer security issues arise I will contact you as I am doing now. If the mainstream or sensational side of the tech media jump on the bandwagon, I want to be that comforting hand on your back telling you a) it’s really ok or b) this is serious and what you need to do next
I am going to fall somewhere between A and B on these two key issues. I think the issues concerning Last Pass and passwords stored on Apple’s devices are significant, but I do not think you should unplug from the Internet and stop using your devices for two weeks either. Like any good teacher would, I am going to provide resources for additional reading for each of the topics I address should you like to go further. #1 below could apply to Windows and Mac users and #2 will primarily apply to Mac users.
1) Last Pass: If you have paid attention to my e-mails on password security over the past year and a half you’ll know that Last Pass is one of the three professional password managers that I recommend. The other two are 1Password and Dashlane. I personally use both Last Pass and 1Password on a daily basis (for most people 1 is plenty). While Apple’s Safari, Firefox and Google Chrome have password managers and some of you use them, this option is sort of like Splenda compared to aspartame. They are ok, but not great. They are better than keeping your passwords on paper or in a word document, for sure.
Last Pass admitted that their password backup service was compromised over the weekend. It was a serious breach for the Maryland based operation, but is important to dig deeper. Client passwords for individual websites were not leaked out into the open. All we know for sure is that customer e-mail addresses and security questions (ex. Where did you meet your spouse?, etc.) were potentially exposed. Last Pass does not know for sure at this point, but because of the possibility they have encouraged all customers to reset their master passwords for Last Pass. I have and I feel as confident as ever with their service. For further reading, http://www.pcworld.com/article/2936621/the-lastpass-security-breach-what-you-need-to-know-do-and-watch-out-for.html
I trust Steve Gibson as the foremost expert in personal computer security in the world. For “advanced studies” on this topic, I would invite you to listen to the first half of his Security Now podcast from Tuesday night 6/16/2015. Despite this breach of Last Pass, Gibson still believes it is one of the finest if not the finest password managers in the world.
Audio file https://media.grc.com/sn/sn-512.mp3
Just so you know the costs involved with these top tier password managers: Last Pass $12 / year, Dashlane $40 / year (both have free limited options which do not include password access on mobile devices), 1Password $50 for a license (which may need to be updated about every 3 years).
2) Apple passwords: For many years passwords on the Mac have been stored in a utility called Keychain. This includes passwords for your accounts in Apple Mail, Safari, WiFi networks and other Apple applications. Passwords stored in Chrome or Firefox, or in a password manager like 1Password, Last Pass, or Dashlane DO NOT get parked in the Apple Keychain application. The Keychain passwords get shared with other applications through a technology called XARA. In recent versions of iOS, Keychain passwords can also get synced with your iPads and iPhones. A group of security researchers noticed that Keychain was vulnerable to leaking information when malicious or insecure applications were installed on a mac or iOS device. These researchers did the right thing. They notified Apple 6 months ago!! Apple has done nothing, so they went public with the report this week. Apple must do something about this soon and when they do they will push a security update to your Mac. This is a side note for a future discussion, but I really think Apple needs better coordination between their iOS and Mac OS security teams. Perhaps Apple should have just one operating system iOS and give us an iOS Plus for our Mac laptops and desktops, which would include more features. I will get back on point.
I am not worried about account passwords like iCloud or Google stored in your Apple Keychain if you have two factor authentication turned on for those services. If a bad guy gets the keychain stored password in those scenarios, they won’t be able to do much with it. As a preemptive measure on the Mac, I suggest using Chrome or Firefox until Apple puts out a fix for this issue. If you are going to go that far, I would also turn off keychain syncing on your Mac in system preferences >> iCloud and on your iOS device under Settings >> iCloud. If you have been using Safari and keychain syncing on the either device I would also delete saved passwords (after copying them down and or putting them in another password manager) by doing the following…
iOS 7.1.1 or later:
- Tap Settings > Safari > Passwords & Autofill > Saved Passwords.
- Tap a website to view your password.
- Enter your device passcode.
OS X Mavericks v10.9 or later:
- Choose Safari > Preferences, then click Passwords.
- Select a website to view your password.
- Select “Show passwords for selected websites.”
- Enter your system password.
courtesy of https://support.apple.com/en-us/HT203783
Finally, for further reading on the Apple Keychain security issue please look at https://nakedsecurity.sophos.com/2015/06/18/apple-os-x-and-ios-in-the-vulnerability-spotlight-meet-cored-also-known-as-xara/