Internet privacy and security course
About translation
Previous Next

Chapter 36

A huge mistake or how exactly you should not keep passwords

In terms of this section we will have a block of articles on various ways to store passwords, their pros and cons. Depending on the security level of the method, we will recommend it to you to smaller or bigger extend, but there is one way that we strongly recommend you not to use ... but first a little story from my life.

One good friend of mine suspected his soul mate of infidelity and, knowing that I understood quite well in the tools for controlling her computer secretly, he asked me to put some legal RAT on her Mac (from the word RAT-Remote Access Toolkit, a remote control tool).

I refused to use cyber espionage tools on my computer, but I said that I could see the information if she gave me her iPhone or Mac. The very next day he visited me with her brand-new iPhone 8.

I never thought his girlfriend was very smart, but she deleted the history of the browser, as well as messaging applications. The only thing she did not know was that deleting the story was not enough, and a minute later my friend not only received a list of dating sites which the girlfriend used, but also a bunch of login / password to them.

How? If you use Apple devices with the default settings, then all your passwords are stored in iCloud and, knowing the password, you can view them from any of your devices. For example, on your iPhone or iPad, go to Settings> Accounts and Passwords> Program and Site Passwords. When you click on any entry, you can see the saved password. Android, Windows, many browsers, password managers have similar systems, and if you haven't turned them off, I have bad news for you.

Your passwords are stored in the cloud of third parties. Transfer your passwords to third parties is a very unwise step, but for objectivity I suggest starting with the advantages of this method of storing passwords.

Benefits of storing passwords in the cloud

It’s simple and convenient

It is really convenient. For example, in the case of iCloud, you save the password on your Mac, then, there is no problem for you to log in to the same site from your iPhone or iPad. When you change the computer, you only need to log in to your iCloud account, and all passwords are with you again.

If you lose the device, you do not lose passwords

If your laptop or phone is stolen, it will not be difficult for you to recover the passwords lost with them, and this is definitely a plus. All you need is to log in to the new device.

It's safe

But only if the passwords are encrypted at the level of your device and can be decrypted only with a key (password), which is stored exclusively at your place.

But in this case, if you lose your password (master password, as it is often called), you will lose access to all passwords. If there is an opportunity to recover a lost password, for example, with the help of a link sent by email, then the service can always access your data and there is no way talking about any security.

I did not find more advantages with this method, unlike a lot of disadvantages.

The drawbacks of storing passwords in the cloud

Speaking of minuses, I should note that cloud storage itself can be very different. For example, if only an encrypted file with keys for synchronization between devices is stored in the cloud, this is one case. In this case, the service is involved more in synchronizing the data stored on your device, it also has your IP addresses, but it cannot access your passwords, even closing it will not lead to significant problems.

Another case is when the owner of the service stores your passwords. Thus, iCloud, LastPass and many other services work, and this method of storing passwords carries a lot of risks and threats, which we will discuss below.

 

Attention

The following disadvantages do not apply to all cloud password storage services.

Cloud owner has access to your data.

Even if they convince you that they keep your passwords in encrypted form and company employees do not have access to user data, there is always a way to get them from the service, and at least they have your IP addresses.

Former "Spam King", the creator of the Kelihos botnet, Peter Levashov, now extradited to the United States, was arrested in Barcelona at the request of the American authorities. It is clear that Levashov was a great professional and cared about his anonymity, however, even great hackers sometimes lose concentration and make mistakes...

For Levashov, the cloud service from Apple iCloud was such an error. Law enforcement services followed his iCloud account for a long time, thanks to the IP addresses of the connections, information about his whereabouts was obtained. And Apple willingly and, what is most important, secretly transferred data to law enforcement services.

Certainly, Apple acted within the law, I do not blame them, but I just point out an opportunity that you should definitely know about.

 

Attention

By storing passwords in the cloud, you transfer them to third parties. Your passwords, logins or at least a list of used sites can be issued to a third party, your IP address can be logged each time the cloud is accessed.

You depend on the company that stores your passwords

Another disadvantage is your dependence on the service, since if the company loses your data, you risk losing them too. For sure, you can make backups, but how many people make backup data of passwords stored in the cloud?

You can, of course, recover most passwords through password recovery in services, but some of the data may be lost irrevocably. It is especially dangerous to store in this way the passwords to the encrypted information, where it will not be possible to recover ones in case of loss.

Although the author is not aware of examples of data loss by cloud password storage services, this risk cannot be excluded, especially if you use the services of a small company. I know the stories of hosting sites that lost their customer data, for example, the popular British 123-reg hosting one day accidentally deleted all virtual client servers... and all the clients that did not have backup copies found themselves in an unenviable position, losing websites and all stored data there.

In addition to total loss, the service may simply be temporarily unavailable, and you will not be able to access it at the right time.

 

Tip

Even if you decide to store passwords in the cloud, back up.

Companies can sell information about you

It may often happen that companies offering cloud storage services passwords collect statistics on sites visited by users for further sale.

The ones that are particularly dangerous are free products that do not have a clear model of monetization, in other words, it is not clear how the owners earn.

The owners of such services know your email, which sites and how often you visit, your region can be assumed by IP address and site languages, this is quite valuable information that you can successfully sell.

The most annoying thing is that the owners of cloud services to store passwords that are synchronized with the browser can not only find out the list of sites you have visited, but also specific pages, like find out your profiles on social networks and get data, which videos you watched or which queries were entered into the search engine.

Is it hard to believe in it? Maybe the author of the course is mired in his own paranoia and everything is not so bad? Let's take the example of a VPN for analogy, many VPN services collect and sell information about users who come to them for privacy, and we know that for sure. User data was collected and sold by such major services as Opera VPN, Hotspot Shield and Hola, without declaring it. As a result, however, Opera VPN was closed, the Internet community came out against Hola, and the reputation of the service was destroyed, and Hotspot Shield received a massive lawsuit.

 

Attention

Cloud password storage services may collect information about you for further sale.

Data leaks

Data to third parties may be transmitted illegally. Sometimes companies can be hacked, and data is stolen by hackers, often working for a government.

And it’s good if the company acts honestly, as LastPass password manager did, warning users about a possible leak and recommending that the master password must be changed, but more often it happens, as is the case with Yahoo, when billions of accounts were obtained by hackers and the management was silent.

They were silent, because the consequences of such hacking may cost too much. Yahoo was no exception, losing much in price as a result of this story. It is unprofitable for companies to talk about data leaks to users, although the latest European legislation strictly obliges them to do so.

Phishing attacks

Hackers regularly invent various tools for phishing attacks on data in the cloud. Annually the news is widely spread about mass phishing attacks on the same iCloud, Google cloud services; do not underestimate these threats, as even professionals have difficulty distinguishing professional phishing attacks,.

Unfortunately, many people believe that a phishing attack is a message from the series “Your account has been blocked, if you don’t follow this link, it will be deleted.” This is true phishing, although it is a very primitive level, oriented, as a rule, to mass character. But there is another phishing, when the substitution can be detected only with close examination.

The LostPass attack on LastPass password manager is of particular note. This is a very effective phishing attack, which it was almost unrealistic to recognize for a simple user. Much information has been written about it on the Internet, you can read more about it and evaluate how it was not easy for the victim.

In this case, as a result of a successful phishing attack with a high degree of probability, the attacker will have logins and passwords from all your services. If there is a bunch of double authentications at the sites, the login and password is not enough, but in all other services the attacker will be able to log in.

To sum up, once again I want to note that cloud storage services are very different and the disadvantages described above can relate to one of them and not to the other.

Previous
4297
Next