Security has actually long been a ground for problem among many type of providers through each among these businesses presenting its own vision and also thoughts on the many, and the least, efficient steps to follow. This short article is created by YLD Software Engineer Joe Schoarea where he shows on the truth of exactly how secure our systems actually are. By no implies it is a critique of any type of of the methods provided — the short article just aims to provide food for thought and develop some area for crucial thinking on the topic of defense.

You are watching: Lulled into a false sense of security

So I am Joe, and lately I have been interested in getting to understand even more about virtual protection. Today I desire to look right into the subject of password protection which I believe to be a really essential topic to discuss. Passwords are crucial to our system’s security; someone gaining accessibility to a list of just a few passwords deserve to open up many doors.

Let’s start by looking at a use case in which I want to access my AWS account.

As this is such a crucial component of protection I desire it properly locked down, right? Let’s include as many type of layers of security as feasible (and also then let’s include another please!). In this instance, we’ll imagine I’m utilizing the following:

A password manager (i.e. Dashlane, 1Password, LastPass)Access available just using a VPNMFA (Multi-Factor Authentication)

Although it might look pretty secure let’s think about it a tiny further.

The password manager generates a very solid password and also stores it — you couldn’t brute pressure this one in a million years. It then saves the password for me because I have a memory prefer a sieve.

For the next action I store my login credentials to the VPN in the exact same password manager, (because no-one offers multiple password managers); and so the configuration is simply retained on my lappeak.

Then I connumber my phone as the MFA gadget, so that every time I desire to attach to the VPN and eexceptionally time I desire to login to AWS I need to enter a one-time passcode created from the MFA application.


*

*

*

*

So let’s follow the login procedure, imagining you — the hacker — have actually just my unlocked lappeak (or have actually my lapheight password).

You open the lapheight and also attach to the VPN, making use of the credentials stored in the password manager and the MFA code from the same password manager. You then go to AWS and also log in using… you guessed it — the password manager, and also the MFA code.

Hey presto, just by stumbling throughout my lappeak, you’re right into my manufacturing AWS account and deserve to take dvery own joeschosamazingwebapp.com (if the connect doesn’t job-related, someone more than likely hacked me…).

Now possibly you usage a Yubiessential as an additional layer of defense. Great principle, yet then again, if someone has actually accessibility to your lapoptimal is it most likely that they’ll be too far from the vital itself? Hopefully — however maybe not always the situation.


*

I hope you deserve to view exactly how including multiple layers of the same protection (multiple passwords stored in the very same manager, multiple MFA codes from the same device) does not necessarily rise security. In this situation, when you’re with one layer of protection, you’re via them all.

See more: Hair Dying Help: Can I Dye My Hair Two Days In A Row ? Box Dye Two Days In A Row

To be clear — I’m not discouraging the usage of a password manager. They are an extremely handy tool, but I wanted to start a conversation on exactly how utilizing them as every layer of protection is probably not the best concept.