Security has actually long been a ground because that concern among many companies with each among these enterprise presenting its very own vision and also thoughts ~ above the most, and the least, effective procedures to follow. This post is written by rwcchristchurchappeal.com software Engineer Joe Schofield wherein he mirrors on the fact of exactly how secure our solution actually are. By no method it is a critique of any kind of of the methods used — the article merely intends to carry out food for thought and create some space for an important thinking ~ above the subject of security.

You are watching: Lulled into a false sense of security

So ns am Joe, and lately I have actually been interested in acquiring to know an ext about virtual security. Now I desire to look right into the topic of password security which I believe to it is in a really important topic to discuss. Passwords are an essential to our system’s security; someone gaining accessibility to a list of only a couple of passwords have the right to open many doors.

Let’s begin by looking in ~ a use instance in i beg your pardon I want to access my AWS account.

As this is such an important part of protection I want it appropriately locked down, right? Let’s include as numerous layers of defense as feasible (and then let’s include one much more please!). In this case, fine imagine I’m using the following:

A password manager (i.e. Dashlane, 1Password, LastPass)Access available only via a VPNMFA (Multi-Factor Authentication)

Although it might look quite secure let’s think around it a little further.

The password manager generates a very solid password and stores it — you can not brute pressure this one in a million years. The then saves the password because that me since I have actually a memory favor a sieve.

For the next step I save my login credentials to the VPN in the very same password manager, (because no-one provides multiple password managers); and so the construction is simply kept on my laptop.

Then i configure mine phone together the MFA device, so that every time I desire to connect to the VPN and every time I desire to login to AWS I need to go into a one-time passcode created from the MFA app.


Woah — no one is getting in here! Or are they?

I use my phone as much as I use my laptop, therefore I have actually the password manager mounted on there too; both the which have the right to be unlocked v my thumbprint, or — more importantly — my passcode. So just by discovering my passcode you have the right to unlock mine phone and then access the MFA app and also the password manager app.

Or far better yet, a feature of part password supervisors is to likewise act as an MFA device, therefore if I usage it this way, every you require is accessibility to my computer…


So let’s follow the login process, imagining you — the hacker — have simply my unlocked laptop (or have actually my laptop password).

You open the laptop and connect come the VPN, utilizing the credentials save in the password manager and the MFA password from the same password manager. Girlfriend then walk to AWS and log in using… friend guessed it — the password manager, and also the MFA code.

Hey presto, just by stumbling across my laptop, you’re right into my manufacturing AWS account and can take down joeschosamazingwebapp.com (if the link doesn’t work, someone more than likely hacked me…).

Now possibly you use a Yubikey as an extra layer of security. Great idea, but then again, if someone has accessibility to her laptop is it likely that they’ll it is in too far from the vital itself? Hopefully — but perhaps not always the case.


I expect you can see how adding multiple layers of the same security (multiple passwords save in the exact same manager, many MFA codes from the very same device) does not necessarily rise security. In this case, once you’re through one great of security, you’re v them all.

To it is in clear — I’m no discouraging the use of a password manager. They room a very valuable tool, but I want to begin a conversation on how using them together every great of security is perhaps not the best idea.

See more: If She Only Knew By Lisa Jackson If She Only Knew Book By Lisa Jackson

What about you? just how do you save your passwords secure?


We’re gift lulled into a false sense of security. Was originally published in rwcchristchurchappeal.com Blog ~ above Medium, where human being are proceeding the conversation by highlighting and responding to this story.