The Heartbleed Bug and Password Reuse, Recipe for Disaster

Posted by Posted on by

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
If you have the habit of using the same password everywhere, you are at risk for identity theft and a breach in post Heartbleed scenario.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

The ‘Heartbleed bug* is perhaps the hottest topic in all types of media – print, electronic, social, and others. This serious flaw in OpenSSL’s TLS implementation is perhaps the biggest vulnerability in Internet history and has sent panic waves throughout IT and consumer communities alike.

During the past few days, you have probably come across information about the Heartbleed bug many times and been swamped by vendor advisories prompting you to change your passwords. The Heartbleed bug had been around for nearly two years unidentified, and it is not immediately known if the bug had been exploited against any web application anywhere. So as a precautionary measure, vendors are suggesting you reset your passwords after patching their applications and fixing the vulnerability.

Heartbleed bug and password reuse 


When you receive an advisory on the Heartbleed bug from a software application provider, you’re likely to promptly change the password in that application or site and feel secure. But the harsh truth is that your entire online life could be at risk. This is because most of us tend to use the same password on all websites and applications.

So if a hacker succeeded in cracking your password exploiting the Heartbleed vulnerability in one site or application, the hacker actually obtained the ‘master key’ to access all your accounts – even those that are not vulnerable to Heartbleed. Read more

Identity thefts through social media platforms: Is your password secure?

Posted by Posted on by

Social media platforms are fast emerging as the most convenient platforms for malware delivery. To combat cyber threats, proper password management should ideally become a way of life.

Over 13 per cent of the world population is on social network and the number keeps growing exponentially. Those who do not own an account in Facebook or Twitter are now being viewed as those living in prehistoric times.


No doubt, social media is wonderful in helping you stay connected with friends, but the sheer popularity of social media attracts the attention of cyber-criminals looking for ways to harvest identities. Recent surveys by IT security analysts clearly indicate that social media is fast emerging the most convenient platform for malware delivery by hackers. Clickjacking, phishing, identity sniffing are all continuing unabated and are growing at a faster pace. Despite untiring awareness campaigns by the social media giants, even tech-savvy users are falling prey to attacks perpetrated through the social media. Read more

Introducing New Features in Zoho Vault: Powerful Password Sharing, Wider Storing

Posted by Posted on by
Ever since we launched Zoho Vault, an online password manager for teams, we have been receiving constant feedback from our customers – appreciations, concerns, comments, pain-points and constructive criticisms. We are giving sincere attention to all the feedback. We have now given shape to some of the feature requests and here is the summary of recent enhancements:

Securely store and share files, documents

You can securely store not just passwords, but also documents, files, images, digital certificates and licenses in Zoho Vault. Files can be stored as individual entities or along with secrets. You can add multiple files with a single secret and retrieve them from anywhere, even through your mobile devices. The file attachments are also treated like passwords – they can be shared with users and user groups and are encrypted in your browser itself. The encryption key is never stored anywhere. So, complete data privacy is ensured.

Read more

Password Sharing Gone Wrong: How You Can Safeguard Your Business from a Snowden Security Breach

Posted by Posted on by


When Edward Snowden, the former NSA Contractor started disclosing the classified details of several top secret surveillance programs of the US intelligence agencies during June this year, all were wondering how he gained access to those highly confidential information.

Five months later, an exclusive report in the Reuters now reveals that Snowden has used perhaps the easiest possible way to gain unauthorized access to the secrets. Misusing his position as a system administrator, he had reportedly persuaded nearly 20 of his colleagues to share their login credentials with him in the pretext of doing his job. They had unwittingly provided him the credentials, which led to the worst breach of information security in NSA’s history. They thought they were giving out the credentials to a trusted insider unaware of Snowden’s real intent.

This report reminded me of a funny campaign titled “Passwords are like underwear” ran by the Information Technology Central Services at the University of Michigan a few years back to create awareness on protecting passwords.

True, passwords are like underwear – obviously not meant to be shared with others. Unfortunately, practical needs are mostly the opposite. Business requirements demand selective sharing of passwords with others. In most of the organizations, users often tend to reveal administrative passwords of sensitive IT resources to their colleagues for some reason or other.

Read more

Petition against them, hate them, or wish them dead; passwords are here to stay for long!

Posted by Posted on by

In the last two weeks, the Petition Against Passwords movement launched by a group of US-based companies that sell password-less technology has been gaining widespread media attention across the world. Their mission is to collect every frustrated yell at forgotten passwords and make sure the organizations responsible hear them.

In the RSA conference in San Francisco early this year, James DeLuccia’s Passwords are dead created quite a buzz. At the conference, Zoho’s sister division ManageEngine demonstrated its Enterprise Password Management Solution, Password Manager Pro, and almost all the  visitors to our stand quipped: “They are talking about the death of passwords and you are demonstrating password management!

death-of-passwordsSo, we hear the vox populi loud and clear: Clearly, people are fed up with passwords. With the proliferation of online applications, a variety of passwords occupy each aspect of our life. Remembering dozens of passwords is impossible; storing them only invites trouble and managing them manually is a pain. With high-profile security breaches involving stolen online identities, all of us want to be rid of passwords. So, when someone talks about replacing  passwords, it’s only natural for people to get interested.

But, the million-dollar question is: Do we have viable alternatives if the passwords die finally?

Before going any further, here is some history on ‘death of passwords’:

For over a decade now, people have been discussing the death of passwords. In the same RSA conference in 2004, Bill Gates, the Chairman of Microsoft predicted the death of passwords. In 2006, he said that the end to passwords was at sight. Not just Bill Gates, but many other luminaries and industry analysts have been predicting the death of passwords.

However, in reality, the predictions haven’t yet materialized. Passwords are still the most prominent method of authentication till date. Alternatives to passwords, such as biometric authentication, iris authentication, facial  authentication, various forms of multi-factor authentications, and even  authentication through items like watches, jewellery, and  electronic tattoos, are all being discussed. Active research is also on to formulate better alternatives.

However, none of the alternative approaches have been viable for various reasons. Firstly,  passwords are very easy to create and are absolutely free.  Whereas, the alternate models are mostly expensive, require  additional hardware  components, are difficult to integrate with the  existing environment, and are not easy to use.

Interestingly, some of these alternative authentication methods have been cracked  even before they could be adopted widely.  Few years ago, a group  of researchers hacked faces in biometric facial authentication systems by using phony photos of legitimate users.

As  on date, a viable replacement for traditional passwords is not in sight! We may get one in the future, though. But, it will require considerable time for the new mechanism to be accepted and adopted. That means, traditional passwords are not going to die anytime soon; they are going to be around for  a while.

Passwords are not the problem; their management is

While raising our voices against passwords, we overlook the actual problem, which is poor password management. Due to the inability to remember passwords, users tend to use and reuse simple passwords everywhere. Users store passwords in text files and post-it notes; share credentials  among the team members; and pass them over emails or by word of mouth. Real access controls do not exist and passwords of sensitive resources and  applications remain unchanged for ages. Such bad password management practices invite security issues and other problems.

Use a password manager

While  the research to find an alternative to passwords continues, it would be prudent to deploy a password manager to safeguard your data. With a password manager, you can secure all your passwords in a  centralized repository; use strong, unique passwords without worrying about remembering them; automate and enforce password management best practices; control access to resources and applications; keep track of activities; and do much more.

If you are wondering which password manager to use, take a look at Zoho Vault.

Passwords or Pulcinella’s Secrets?

Posted by Posted on by

What is the purpose of a password? If we pose this question to any group of users, we will get a variety of responses. In simple terms, the purpose of a password is to keep your data/information secure, secret and private. Essentially, passwords have to be kept secrets to serve the purpose. Ironically, due to lack of proper password management, we tend to make our passwords much like ‘Pulcinella’s Secrets’!

Yes, you read it right – Pulcinella’s Secrets! If you wonder whether you got the meaning correct, let me explain:


Pulcinella is an illustrious comic character in Commedia dell’Arte, a form of theater that
began in Italy in the mid-16th century. The very character of Pulcinella is his inability to keep secrets. Any confidential information conveyed to him would become an open secret in no time. The secret will reach far and wide, but everyone will pretend not to be knowing. In reality, Pulcinella’s secrets are not secrets at all.

Passwords in Text Files, Post-Its or Spreadsheets are Pulcinella’s Secrets, Literally!

With the proliferation of password protected online accounts and IT assets, businesses are drowning in a pile of passwords. But, many organizations and business establishments do not have any effective password management procedure in place at all. Employees adopt their own, haphazard way of maintaining the passwords. Following are some typical scenarios:

  • Sensitive passwords are stored in volatile sources such as text files, spread sheets, post-its and the like
  • Many copies of the passwords are circulated among the people who require them for their job functions. There is generally no trace on ‘who’ accessed ‘what’ passwords and ‘when’. This creates lack of accountability for actions
  • When one user changes a password, it should be updated in all the ‘copies’; otherwise, at the most needed time, one would be trying to login with an outdated or old password. As a result, the passwords mostly remain unchanged for ages for fear of inviting such lockout issues
  • There is rarely any internal control on password access or usage in many organizations. Users freely get access to the passwords
  • When other members of the organization require access to an online application / an online account, passwords are generally transmitted over word of mouth
  • If an employee leaves the organization, it is quite possible that he/she may be getting out with a copy of all the passwords

So, if you follow the traditional style of storing the business passwords as described above, your passwords would have probably turned Pulcinella’s Secrets! Many in your organization might be accessing the passwords, while you would be thinking otherwise. Obviously, this practice leaves the organizations open to security attacks and identity thefts.

Deploying a Password Manager – The Best Practice Approach

One of the effective ways to keep your passwords secure (and really secrets) is to store them in a central, secure, digital vault and automate password management tasks. Deploying a password manager like Zoho Vault can help you in taking total control of your passwords. You can store all your online identities – passwords of web applications, PINs, registration numbers, access codes, bank account details – anything sensitive or confidential in the online vault and access them from anywhere. Password changes can be updated at the central vault.

You can selectively share common passwords on need basis among the members of your organization with fine-grained access privileges. Your users will get access only to the required passwords, not all. You will also get comprehensive audit trails on ‘who’ accessed ‘what’ passwords and easily trace activities to individuals. You can completely eliminate the insecure, cumbersome practice of storing passwords in volatile sources like post-its, text files, print-outs and spreadsheets. Try Zoho Vault, now!

How do you handle passwords when an employee leaves the organization?

Posted by Posted on by

This question may sound trivial. Before discussing further, let me narrate an incident:

About three years ago, on March 17, 2010, at Austin, Texas hundreds of cars purchased from a particular car dealer went honking uncontrollably. Still worse, the owners were not able to start the cars as the ignition system had been disabled. Car owners had no clue as to what was happening. They had no other option but to disconnect the battery.

cars-honking3Following hundreds of such complaints and anxious moments, the car dealer carried out an investigation with the help of police and found that a sacked employee had gained unauthorized access to an internal IT application and turned on the web-based vehicle-immobilization system normally used to draw the attention of the customers delinquent in their auto payments. The techie had apparently taken revenge on the dealer for laying him off.

Soon after sacking him, the car dealer had promptly terminated all access, including the one to the vehicle-immobilization IT application. But, he had known the credentials of a colleague, using which he gained unauthorized access to the application.

Now, coming back to the question: How do you handle passwords when an employee leaves the organization? Does your organization have an effective ‘de-provisioning’ process in place to ensure that the former colleague will not continue to access your applications or data?

The saying ‘out of sight, out of mind’ might not hold good in all cases. Most of the employees leaving the organization will forget their former employer and start concentrating on the happenings in the new organization. Rarely, a disgruntled ex-colleague or a sacked employee or a terminated contractor or a greedy techie might turn bad and you will have to encounter problems.

The Austin cars honking incident is a classic example for the kind of insider threats organizations are prone to. A single disgruntled employee leaving the organization can wreak havoc to the very business or cause huge financial loss, if user de-provisioning is not handled properly. De-provisioning includes not just terminating access to key IT systems and applications, but also resetting the passwords.

Conversely, certain online accounts might be ‘owned’ by the person leaving the organization. If he fails to ‘hand over’ or ‘reveal’ the account details to someone else, the account will practically become an orphan posing a different kind of problem.

Tracing Access – The Key Challenge

When an employee leaves the organization,

  • it is essential to carry out a careful review of the access permissions granted to him/her
  • access has to be terminated and passwords must be reset
  • passwords owned by the person should be transferred to someone else
  • the password sharing scenario has to be reviewed. Users often tend to reveal passwords to their colleagues for some reason or other. The most common reason for such an ‘unofficial share’ is to cater to an emergency on one’s absence – Manager revealing the password of an application to a senior member when he has gone on vacation.

The key challenge here is finding out the list of all applications and resources accessed by the person leaving the organization. With the proliferation of online applications, it is indeed a daunting task to trace all the applications to which the person possessed access. Tracing the ‘shared passwords’ is another tricky scenario.

If you can’t trace access, the safest option is to change the passwords of all applications, sites and resources. Needless to say, this is cumbersome, arduous and time-consuming.

Centralized Password Repository – The Ideal Solution

The ideal solution to tackle this problem is establishing and maintaining a centralized password repository using a Password Manager. You can keep all your logins in the centralized vault and grant access to employees selectively based on job roles/responsibilities. By looking at the dashboard, you will know ‘who’ is having access to ‘what’ applications and accounts. When an employee leaves the organization, within minutes you can take a report on the applications accessed by him/her and change the passwords of those sites or applications alone. You can also overcome the sharing-related issues by using a Password Manager. In addition, you may even restrict the passwords from being shown in plain-text to the users while sharing passwords with them. The users will just be allowed to launch a direct connection to the site/application without viewing the password.

If you are wondering which password manager to use, take a look at Zoho Vault, an online password manager that serves as the centralized repository for all your passwords. It helps you securely store, share and manage your passwords and other sensitive data and access them from anywhere. Try Zoho Vault, now!