Unshakeable Salt

The introduction of backdoors appeared in a couple of news articles earlier this week, primarily those concerning password managers.  It’s a recent development for CESG to recommend their use and it’s very hard for such advice remain current, especially in light of this week’s announcements.

The need for password managers

Whilst we still rely on usernames and passwords as credentials to access services, we will still need a way to securely remember all those different account details.  Best and current practice is to use differing credentials for each service we use.  We are also reminded to frequently change these credentials as well as create harder to determine passwords / passphrases.

This is why we need password managers, but all the products on the market are not equal.  The strength and security being determined on how and where they store your repository of credentials,  along with the cryptographic algorithm used and where the keys are stored.   There are no issues with storing the repository ‘In the Cloud’ as long as it is cryptographically sound and the application has proper key management.  Between the main players, repository storage does seem to be split 60/40 between cloud and local devices.

I personally chose a product that stores locally – not because I didn’t trust the provider to keep the repository safe,  but due to availability issues.  I have to work from a number of secure locations and this sometimes means that I don’t have full internet access.  This also helps when you work from unscrupulous guest networks where you could suspect snooping – or just where the provider filters access.

Despite these concerns, the biggest players do store their repositories solely in the cloud. There has been much lamenting over the number of breaches that LastPass have suffered over the years. 1Password might not store in the cloud, but recent concerns have arisen about unencrypted data that it may store on a vulnerable device. All of these issues have been rapidly resolved by their manufacturers to restore faith in their ability to prevent disclosure.

The Draft Communication Bill of 2012 – aka, The Snoopers Charter

Many British InfoSec specialists are currently fighting the Bills requirements for backdoors to be placed in all encryption. Whilst I could write a couple of paragraphs or pages on here about how I think this is an exceptionally stupid idea,  it would only become a rant and offer no value to this blog post. So I shall summarise and lets all  just agree for now it’s a very bad idea to introduce backdoors to any encryption. Such a bad idea in fact that over 200 firms have now formed SecureTheInternet.org to help fight the bill.

Backdoors – The best thing since sliced bread

So what caught my eye this week in the press was that many of the top password managers are now advertising their next new features – the ability for someone other than you to gain access to your credentials.  Aka a backdoor.

These are being marketed as access to other family members in case of emergency. I’m not sure why if I’m laying in a coma in hospital why my wife or kids would want to get access to my car racing or mountain biking forums, but that’s why they are being deployed.

Can I just say that this is absolutely a nonsensical idea.  Monumentally a bad idea. Stupid.

The purpose of a password safe is that is exactly that – a safe.  Have a quick trawl of Gumtree, Amazon or eBay and see how many people sell safes that have more than one door. None and that’s for the same reason.

This also means that it is published that the manufacturers of password safes have access to your passwords, credit cards and credentials for online banking.  Staff that operate their call centres (usually on zero hours contracts and low pay) therefore also have access to your online banking credentials.

Imagine this scenario: £500 suddenly goes missing from your online bank account. You call your banks fraud department, who ask you have knowingly shared your bank credentials with anyone.  Knowing that your password safe has a back door you have to say ‘Yes’.  The bank now inform you that you breached their terms & conditions and you’ve just lost any claim to the stolen money.   Answer ‘No’ and they discover you are using a password safe and it will be a long drawn out legal battle, probably with the same outcome.

So please,  chose wisely when picking a password safe.  Say ‘No’ to backdoors,  in all forms of encryption but especially in that single repository that stores your entire life.


Director of Unshakeable Salt, an Information security specialist who first started contracting in 1997.

Next Post