Who keeps the password keepers?

Keep your unmentionables safe

Hey folks! As a system administrator and security maniac, I am very much in favor of good password hygiene. Just like your undies, you should really know where your passwords have been. But contrary to your undies, your passwords are not always easy to change.

That's why I recommend using a good password manager. A password manager is a little application that lets you generate and store complex passwords that you use to log in to various sites. You don't have to remember the complex passwords. But you do have to remember the one that protects the password manager, of course.

When you use a password manager app, you implicitly trust that app to safekeep your secrets. So that's why the latest fail in that field is particularly cringe-worthy. Abine, the company that make the Blur password manager, has reported a customer data leak.

The fail

Francesco Paggiaro
To be more precise: Back in December, a security researcher found an exposed file that contains info about people who used Blur before January 6, 2018. The exposed file contained some users' first and last name, email addresses, password hints, and encrypted password, among others.

If you use Blur, the company recommends changing your Blur password.

Comment: The Blur password itself was not exposed, only its encrypted version. According to Abine, the Blur passwords were "encrypted using bcrypt with a unique salt for every user", which is pretty safe if done properly. There is no practical way to break a well-implemented bcrypt encryption. Also, no protected data (these complex passwords stored inside the Blur app) was compromised. So overall, it could have been worse.

Of course, this won't stop some users from feeling betrayed. Just like undies, you get pretty intimate with a password manager. If my Supersafe UndiesTM ripped and exposed some skin, I'd feel pretty let down.

Personally, I use and recommend Keepass, a free, open source password manager which, to the best of my knowledge, hasn't been breached so far.

No comments:

Post a Comment