As a security professional, I have always been an advocate for strong credentials security. I have spent a considerable amount of time coaching others how to handle password management, what a strong password should look like, and of course strategies for using and being able to remember different and random passwords.
The guidelines are not that difficult:
- Use a password that contains at minimum 8 characters ( 10 or more would be better, and this number will continue to increase as computational power increases and with it a hacker’s ability to forcefully break a password ).
- Use lower and uppercase letter characters.
- Use numbers.
- Use special characters if allowed to, and not just one special character at the end, get creative and replace some of the letters with special characters.
- DO NOT use any information in your passwords that is publicly known such as birthdays, addresses, family or pet names, and such. Instead, use things only you would know. Favorite movie = gUard!@N$_0f_G@laXy.
- Change passwords periodically, at least once a year, especially for accounts that hold financial information. How many of you have had the same password on your bank app forever?
As I said above, the guidelines are not that difficult. The problem, however, is scalability. Most of us have multiple accounts, and only one or maybe two favorite movies.
The worse thing you can do is use the same credentials for multiple accounts. If an account gets compromised because someone managed to hack into the vendors’ database and steal a list full of credentials, now you have to worry about someone using those credentials against not one, but many of your accounts. This means that you will have to go and change your password, which is never a fun experience, on multiple accounts.
Over time we move from consuming services from one vendor to another, maybe we got a better price or the new vendor has a feature in their services that we like. Once we stop using a service, we also stop keeping track of what happens to that information. Some vendors will offer the options to delete the user account, how can users be sure that the data is not archived or backed up somewhere and therefore can be accessed somehow after it is considered to be inactive for a long time. Who here reads the fine print? When was the last time you got a receipt for deleting your account on a website or app?
Most of us think that it is easier to have only one really strong password and use it for everything, however that thinking is counter-intuitive. I think that is my lazy self talking, I just don’t want to take the time to create or have to remember multiple passwords. However, if I have different passwords for different accounts, and one account gets compromised, you only have to change that password.
But, how does the bad guy know what accounts I have? They don’t, but what they do know is what accounts, in general, most people are likely to have as well as the most popular vendors in those sectors. All they have to do it programmatically try all the credentials obtained against multiple vendors until they get lucky.
There is one relatively simple way to bypass all the headaches, and that is multi-factor authentication. Without getting too much into MFA, the concept here is that in addition to the user name as password, you have a third challenge that would need a response to gain access. There are a few ways to implement this. You can have an app that has a code that syncs with the vendors’ services and every time you try to log in you will enter that code in addition to the user name and password combination. Other vendors will send you a text with a code, and the user will enter that code after the user name and password to gain access to the service.
All of these vary in the level of convenience to the user and the security and all of these are better than just using a user name and password. Great, problem solved right? Well, I think we will eventually get to the point where MFA will be not only offered for pretty much every service, but it will be required. We are not there yet and with a diverse user base that is not always willing to embrace the extra security measure, as well as services that are still not offering the added security measures, the option of MFA is not always there. Hence, you still need different passwords.
A few months ago I thought it would be a good idea to use a password manager. As it turns out between my personal and professional accounts I have over 60 different user names and passwords. There is no way I can follow my guidelines and remember all of that.
As I was considering my options I noticed a familiar trend among offerings, it is as if security has conceded to convenience. Most password management applications are saving the user information (user name, password, and any other account details) in the cloud. It seems that one of the most commonly offered features would be the ability to access the full list of credentials from any device. Some applications even offer the ability to take photos of your accounts and store them. A user could take a photo of his/her credit card along with all the information that is needed to use it.
Is it me, or does this seem counter-intuitive? Here I am talking about an application that can house all my secret credentials and I am supposed to entrust the safekeeping to someone I have never even met. I am not a stranger to the convenience of cloud services, and I very much enjoy things like automated robots that clean the floor, lights or thermostats that I can manage remotely, and who doesn’t love Alexa. However, I always try to give the vendors the minimum amount of personal information needed to consume their services. But, with a password manager, I am giving a remote vendor the keys to all the safes that house all the financial, health, and other personal information?
I couldn’t come to terms with that, so there was only one logical thing I could do, take matters into my own hands. I decided to build my own, and so I began to envision what ultimately became BlackVault.
At that point, I was only concerned with what I wanted that application to have. First and foremost all information would be saved on the device where the application is installed. There would be no internet access permission needed for the application to operate in its most basic form. The goal, store user names, and passwords safely on a device a carry with me always so that I don’t have to remember them all.
After some research, I made a list of some of the features that I would want as well as others that I thought would be useful and wouldn’t compromise the security of the application, but would enhance the experience. This is the list I came up with:
- I should be able to name the accounts.
- I should be able to search for an account by its nickname.
- I should be able to save username, password, as well as add notes about each account.
- I would like to be reminded to change my password every so often.
- I would like to be able to back up the information somewhere, not necessarily in the cloud.
- I would like to be able to share passwords if I wanted to with someone easily.
- I would be nice to see a history of activity for each account, such as when I added it and when was the last time I updated the information.
- I want to separate personal accounts from professional accounts.
- I would like the application to generate random strong passwords for me, I figured that since I don’t have to remember them anymore the password can be whatever string of random characters.
- I would like to be able to just copy and paste user names and passwords from the applications to other services with a button tap instead of having to hold my finger to the screen and wait for the text to be highlighted and then copy it.
I was able to re-use a lot of my code that already existed in some of my other projects for the visual renderings and some of the main operation application functionality which was nice, and cut the development time significantly. The first draft was done after approximately 2 months. I have since made some functionality and visual improvements to BlackVault to provide more information to the user and to enhance the overall experience. I have to say that I am personally very pleased with the result. What do you think?
It is not all peaches and cream though. As with anything else in life, there are always compromises. Since BlackVault keeps everything on the device, if a user changes the device, he/she will have to reload all the accounts on the new device. I tend to change devices every 3 years or so unless the device is damaged or lost.
Some will say that is not worth the effort, I found however that it was an opportunity to look through all of my older credentials including those services that I am no longer using. Towards the beginning of the post, I mentioned how it is possible to have user names and passwords for services that are no longer in use. I am no exception, after adding all the accounts I was able to consolidate and delete about 12 user names and passwords which were no longer in use. I suspect that this will happen every 3 years or so. I have since deleted my profiles and accounts from those services’ sites wherever possible.
I have read through some of the cloud providers “fine print” with regards to data privacy and encryption of customer data while in their infrastructure, and maybe I am just paranoid due to the nature of my work, but there is so much that is left out or not explained, or assumed. For the customer, there is no consistent and easy way to see that security in a way that can be quantified. It reminds me of the movie “Meet The Parents”, where Greg loses his back on the way to what would be probably the worst weekend of his adult life. One the way back the flight attendant tries to check Greg’s carry on after it fails to easily fit into the overhead compartment. There is a line there which I think is very relevant to this topic, the flight attendant says to Greg that she can assure him the bag will be safely placed below deck on the aircraft after Greg shared that the reason he was hesitant to check his back was due to his resent and unpleasant experience. Greg goes on to ask the flight attendant if she is going to physically go below deck and place the bag in the aircraft, to which the flight attendant promptly replies “NO”. This is exactly what I am referring to, as a customer, I don’t get to see where my bag is placed safely on the aircraft. Maybe I am just very paranoid.
Lastly, I thought, are there others out there that feel the same way, or has everyone pretty much-embraced convenience as the most important feature when thinking about what applications and services they use to protect secret data? Does it make sense to have different levels or thresholds of how much security a user should be expected to sacrifice for the sake of making life easier? I think so, and while I continue to enjoy other smart things, I would prefer that security be secured and that I would be in charge whenever possible.
And so I decided to find out if anyone shared my sentiments on this matter and published the application on Google Play. The application is being humbly promoted through Google Marketing services, and since I published in June 2020, it has been downloaded almost one thousand times and currently has approximately 300 active users.
To be able to support efforts to keep the application in production and maintain interest in improving features and functionality over time, I decided to bundle some of the convenience features as an in-app purchase. While the free version of the application provided everything someone would need to safely manage all of his/her credentials and keep them away from the wild wild west that is the internet, the user can pay way less than a cup of fancy coffee and get a better experience with added convenience and still keep all the passwords with him/her at all times.
Any feedback on the subject of this post and the application would be greatly appreciated it.
Like it? Get it here, only if you have an Android device.