Is It Safe to Store Passwords in the Cloud?
When the online shoe retailer Zappos suffered a data breach recently, the company sent out emails to millions of customers and recommended that each change his or her Zappos account password as soon as possible to protect their personal information.
The emails highlighted the fact that a password is often the first line of defense when it comes to protecting any type of personal data. The general rule of thumb is to have a unique password for every account that requires one.
But since it seems every place you do business online —or indeed every site you visit —requires you to have a password, that quickly adds up to a lot of passwords. It's tough enough to try to remember two or three different passwords, let alone 50.
Enter the "cloud" —the vast array of storage servers and processors on the Internet, basically —to help with password management.
"Consumers store passwords in the cloud to aid in their password-security-management practices," said Ashley Podhradsky, assistant professor of computing and security technology at Drexel University in Philadelphia. "It's not uncommon for consumers to have dozens of passwords to memorize, and as a result, they often use the same password for all of their accounts."
Using the same password for different accounts can lead to cascading security failures, because it takes only one company to suffer a data breach for all the other accounts to be compromised as well.
Hence, many security experts advocate using password-management applications, which can store and remember users' passwords for them. The user needs to remember only his or her "master" password, which some applications can generate. And many password-management applications are moving their services to the cloud.
"When consumers adopt a password-management application," Podhradsky said, "they can use a password generator to create strong passwords that can then be stored in the cloud."
The benefit of storing passwords in the cloud, said Morgan Slain, CEO of SplashData, a Los Gatos, Calif.-based maker of productivity apps for mobile platforms, is the convenience of being able to access your data anytime, anywhere, from any device.
But, Slain pointed out, whenever information is stored on a server connected to the Internet, there is some inherent risk that your data will be lost or compromised.
Storing passwords in the cloud introduces a single point of failure. If the location of the password has been breached, someone has it and will try to use it at other sites. If the password is used repeatedly, it could mean a lot of lost data —or worse.
So should you ever store your password on a website or in the cloud? It depends on your individual circumstances.
"You need to weigh the trade-off between convenience and security," Slain said. "If you need to be able to access your information from a number of different browsers on different types of devices, storing passwords in the cloud can be a good option."
"When consumers store passwords in the cloud, they are addressing two of the most critical flaws in passwords management: weak passwords and reusing passwords," Podhradsky added. "Using a password generator to create strong, unique passwords that are not susceptible to common attacks, and storing them in a secure cloud password-management system allows consumers to better protect their data and personal information."
But if you really want to store your passwords in the cloud so they are accessible wherever you are, there are safe ways to do it.
"There are several free and commercial cloud password-management systems that allow consumers to create and store passwords securely, along with logging into websites with a single click," Podhradsky said.
"KeePass and LastPass are both free solutions, and 1Password is a great commercial application that will create and store strong passwords in the cloud," she said. "When looking for a solution for you, ensure it is not platform-dependent and can be implemented with portable devices."
This story was provided by SecurityNewsDaily, a sister site to TechNewsDaily.