OneLogin Says Breach Exposed Ability To Decrypt Customer Data (krebsonsecurity.com) 64
Reader tsu doh nimh writes: OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data, KrebsOnSecurity reports. "A breach that allowed intruders to decrypt customer data could be extremely damaging for affected customers. After OneLogin customers sign into their account, the service takes care of remembering and supplying the customer's usernames and passwords for all of their other applications."
FAIL (Score:4, Insightful)
You
Had
ONE
JOB
! ! !
Re: (Score:2)
Their entire reason for existing is security. How can you say you are a security company and you get hacked on a regular basis?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I remember the first time we were offered these kinds of services and I thought to myself that this would be a great way to find all of one's access compromised absolutely everywhere.
Sure, a security-company should by definition be the most secure business, but this has often proven to not be the case.
Re: (Score:2)
Yep, part of what the company was selling was security. They knew they were going to be a big fat target, with a lot of eggs in their basket. I can't fault them, because at least they admitted the breach. However, they should consider better encryption mechanisms. LastPass has been attacked a few times, but they have weathered the storm.
It might be that they need to re-architect their setup, with defense in depth.
Re: (Score:2)
I can't fault them, because at least they admitted the breach.
So, If I take money from you to guard your house and I fall alseep and your house gets robbed multiple [slashdot.org] times [hackerone.com] you aren't going to fault me because I admit that I fell asleep?
Re: (Score:2)
The fact they bothered admitting a breach happened is a lot better than most companies. I personally would go elsewhere, because Duo and LastPass have stood the test of time, but with the fact that "security has no ROI" is a core motto in a lot of places, just admitting it is better than nothing.
Re: (Score:2)
LastPass has had some recent problems as well.
https://www.theguardian.com/te... [theguardian.com]
https://blog.lastpass.com/2017... [lastpass.com]
I was hacked and my slashdot is account abused. (Score:2, Funny)
You can easily see it for yourself. There are many obnoxious posts here using my name.
Fail (Score:3)
I don't need to have my account hacked to post obnoxious crap. I can do it on my own!
Re: (Score:2)
including the ability to decrypt encrypted data (Score:1)
this is why I use password safe synced on icloud
nobody is going to compromise password safe because it is open source
and apple cant be breached
When will you people learn (Score:4, Insightful)
My passwords are in a little paper book on my computer desk. If a hacker has access to it, I've got bigger problems.
Re:When will you people learn (Score:5, Insightful)
I've realized it's just safer to not discuss my password policy.
Re: (Score:2)
I've realized it's just safer to not discuss my password policy.
This is why I don't bitch about my banks online
Re: (Score:2)
Janitor? In my freakin' house? Nope.
Re: (Score:2)
Nope.
Re: (Score:3)
Re: (Score:2)
http://imgur.com/UHGIx [imgur.com]
Re: (Score:2)
Re: (Score:2)
That's the "I've got bigger problems" part.
Re: (Score:2)
Re: (Score:2)
I don't have a TV, you insensitive clod!
Too much access (Score:1)
Why does OneLogin have access to customer data???
In other news (Score:2)
putting all your eggs in one basket makes the basket very attractive!
Re: (Score:2)
And yet every time we talk about password security, the general consensus on Slashdot is to use a password manager so that you can have strong passwords. And every time I bring up the "all your eggs in one basket" problem I'm told that it isn't an issue because --insert hand waving here---
And yet, we know that any time your passwords are on the internet, they are vulnerable. No matter what has been done to "secure" them.
Re: (Score:2)
And yet, we know that any time your passwords are on the internet, they are vulnerable. No matter what has been done to "secure" them.
That's overly simplistic. In the case of LastPass, what's stored on the internet is an encrypted blob of my passwords. My master password is never sent to LastPass or anywhere on the internet. The real dangers of LastPass are a weak master password or local in-browser exploits and spoofs. If you've got a good master password, breaking the encryption via brute force isn't computationally feasible.
You have to ask yourself what you feel is the biggest danger: password re-use or weak passwords (because unle
PasswordSafe FFS (Score:2)
At one point I checked a lot of solution to keep my passwords, and PasswordSafe [pwsafe.org] (from Bruce Schneier) is certainly the best one, I can also put my database on gdrive or whatever without fear.
Re: (Score:2)
Windows-only garbage most people install from a binary blob without compiling it themselves and has network access? No, thanks.
Re: (Score:2)
So there's no way of knowing if it's secure, because it's a blob nobody has access to. And it doesn't work on most devices (who ONLY uses their PC these days and doesn't need password access on their phone?)
So it's both useless, and a security nightmare... good work!
Re: (Score:2)
What? no, it exists for zillions platform, see https://pwsafe.org/relatedproj... [pwsafe.org]
Also and you can compile it yourself, source are available:
https://github.com/pwsafe/pwsa... [github.com]
Re: (Score:2)
What? no, it exists for zillions platform, see https://pwsafe.org/relatedproj... [pwsafe.org]
Also and you can compile it yourself, source are available:
https://github.com/pwsafe/pwsa... [github.com]
There has to be... (Score:1)
Re: (Score:2)
And that "class" is "a large percentage of Slashdotters" because every time we discuss password security there's always a large number of people recommending one or another of these sorts of services as the be-all end-all of password security.
Re: (Score:2)
Are you saying SSO is stupid in principle, or something about OneLogin's brand of SSO is stupid in particular?
I don't understand... (Score:4, Insightful)
Wouldn't the very first rule for any kind of platform like this, be that passwords are not decryptable without the user providing their key/password? I mean, that it's designed in such a way that this is a actually *impossible* without a brute-force breaking of the encryption? How could this ever happen? We need more technical details. Otherwise the level of incompetence would be downright astounding.
Re: (Score:2)
Wouldn't the very first rule for any kind of platform like this, be that passwords are not decryptable without the user providing their key/password? I mean, that it's designed in such a way that this is a actually *impossible* without a brute-force breaking of the encryption?
LastPass works this way. You need something with a fully inspectable front-end and hopefully a code audit or two.
How could this ever happen? We need more technical details. Otherwise the level of incompetence would be downright astoun
Re: (Score:3)
Look into KeePassX if you like that style of tool. Bruce's was good for its time.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
The nature of the breach isn't entirely clear. It's possible that the passwords are encrypted, and that the encryption wasn't broken. There are other kinds of exploits and intrusions.
Re: (Score:2)
Thought the same thing as KeePassX or Lastpass that both do encryption on the client side PC. Nope OneLogin does it on the server, brain dead way to do password vault, break the server , you have the clients passwords. https://support.onelogin.com/h... [onelogin.com]
Post-it Security (Score:2)
This is why I keep all my passwords on a post-it note in my desk drawer. I used to keep it on my monitor but the bezel is too small now.
Hey, where'd the post-it go?! I swear it was in this drawer.
Re: (Score:2)
You joke, but it all depends on what you are securing against.
If my computer is in my house, then there's nothing that someone can get from that post it note than they can get from all sorts of other things already there. So why not have it on a post-it?
If someone gets as far as the post-it note, my problems are far bigger than some random person posting to Slashdot under my name.
That's not a breach. (Score:2)
If, instead of "onelogin" it were called what it actually is "a basket for your eggs", maybe then people wouldn't put all of their passwords into it.
Perhaps, one shouldn't put all of one's eggs into one basket. Just saying. Maybe "security" isn't about putting everything in one place.
Oh wait, what an old fashioned way of thinking. Let's modernize it shall we? Give all of your sensitive and valuable stuff to one person to hold -- oh yeah, and trust them both to keep it all safe and to not use it themselv
Server Side encryption, what were they thinking? (Score:3)
I figured OneLogin would be decrypting/encrypting on the local PC, NOPE those idiots does it on the server side, hack the server and it's lights out. What were they thinking? https://support.onelogin.com/h... [onelogin.com]
Was worried for second that lastpass was doing something stupid also, no lastpass does all decrypting/encrypting on the client side. AES-256 in javascript on the client local pc and in c++ for their browser extension. Basically lastpass only stores an encrypted file in the cloud, and the file gets downloaded and decrypted only with your password on the client. https://lastpass.com/whylastpa... [lastpass.com]
Never understood (Score:2)