Member Article

IAM vendors who store passwords not suitable

Identity and Access Management (IAM) company, OneLogin, has reported a security breach, serving as a reminder to organisations and users that IAM vendors who store or replicate passwords are no longer suitable, due to the vulnerability of passwords. This is according to Secure Cloudlink who argues that until passwords are eliminated security will continue to be compromised.

OneLogin confirmed that an intruder managed to gain access to its system using an employee’s password. The OneLogin service that suffered the breach is often used as a means to store vital credentials such as admin passwords, highlighting the vulnerability and risk of theft when it comes to storing sensitive credentials. This is not the first time a security vendor has been breached; last year password manager LastPass was hacked, requiring all users to change their master password.

Commenting on the news David Worrall, CTO of Secure Cloudlink said: “The password usability problem has escalated and the hacks of OneLogin and LastPass only go to reinforce this. Now security vendors, the people who are supposed to protect users, are being hacked. The fundamental issue comes down to passwords. IAM vendors who store or require passwords are flawed and do not offer a completely secure solution. It’s not enough to have a complex password or even an encrypted password as these can be stolen and the encryption cracked.”

Gideon Wilkins, VP Sales and Marketing at Secure Cloudlink, adds: “Any product that still depends on a password for authentication and authorisation is clearly a security risk, even those that ‘mask’ the back ended stored password with a biometric front end. Although companies claim that they are eliminating the password, in reality they are just hiding them. Passwords are still being stored and replicated behind the scenes and they are spread all over the place, meaning hackers can capture these credentials.

“Organisations have had a number of stark reminders about the vulnerability of passwords, but no matter how much IT departments and security experts urge users to apply due diligence when it comes to password management these hacks continue to take place. What is needed is an industry shift that breaks the historical link between a user’s identity and the authentication method – the password. Now is time to look at solutions that involve not passwords. No storing, no transmitting and no replicating of passwords, ever. Hackers can’t steal what doesn’t exist,” concludes Wilkins.

This was posted in Bdaily's Members' News section by Super User .