Password Manager OneLogin breached.

On the 31st May 2017, a hacker was able to gain access to the cloud password managing service OneLogin. OneLogin is an online cloud service that allows users to store their login passwords to applications and sites from a single platform.

They admitted that the perpetrator was able to access the cloud database with a set of Amazon Web Services keys which were then used to access the database Application Programming Interface. 

On OneLogin’s blog post they have stated the following:

`The threat actor was able to access database tables that contain information about users, apps, and various types of keys. While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data.’

As mentioned above, online services that help manage our login details and passwords can be incredibly convenient, they can even keep our data more secure by generating longer, stronger and more unique passwords using a combination of uppercase,lowercase,numbers and symbols.  However, the issue with storing all our passwords in a database is the possibility that the database may be compromised. Once this happens, all passwords within that database need to be changed.

What steps should be taken

If you have used OneLogin as a password manager, OneLogin asks everyone who is using their services to take the following three steps:

1. Resetting the master password.
2. Creating new certificates and security credentials for all websites and applications.
3. To delete any passwords or private information stored in OneLogin’s secure notes. 

From our experience, we advise our clients that it is far more secure to have a database filled with many long, complex and strong generated passwords than use one easy to remember password or different small and easy to remember passwords. The reason for this is because as technology advances, hackers are capable of utilising their available computing power into guessing poorly created passwords with extreme speed and ease.

The master password itself, however, should be a password which is hard to guess.

Our recommendations

Passwords can easily be guessed with dictionary attacks and brute force attacks, therefore a password should contain more than 8 characters and use a combination of lowercase, uppercase, numeric and symbol characters. It should also be updated on a regular basis.

We also advise that you should never access your online or offline password manager on a public computer. If however, you do happen to use your password management service on a public computer, your master password should be changed from your private computer as soon as possible. This is because there is an increased chance that a keylogger may have captured your master password keystrokes.

Furthermore, private information which can be stored and synced within any cloud based database should be encrypted beforehand. This way, if for any reason another breach does occur, you can be sure that your data is safe and secure. There are many open source options available which can achieve this for example, 7-zip , gnupg and veracrypt are all available on Windows, OS X and Linux and can help you encrypt your data before you upload it to the cloud.

The final piece of advice that we offer is to make sure that you have a satisfactory antivirus installed on your system.  The same principal applies here as well. If any indication that your system may have been compromised the master password should be changed immediately.

To test whether or not your master password is strong enough you can use the following website  howsecureismypassword (sponsored by Dashlane, an online password manager). It will display how long it would take a computer to crack your master password.