The Security of Your Password Vault: An Interview with Keeper’s Co-Founder

Passwords. The keys to verify your credentials on every single online platform that you use. With the multitude of social media accounts, online services, email addresses, banking logins and more, it is entirely likely that you may find remembering multiple passwords (a good security practice) to be, overwhelming.

If you’re an everyday user of the Internet frequenting several websites that seek credentials, you are likely to be using a password manager, or an encrypted password vault that stores your passwords. Password managers are a no-brainer solution in this day of mandatory form-filling and entering credentials. They are now available as cross-platform products that can be installed as an application on your phone. Quite simply a no-brainer, a password manager helps make your time spent on the internet to be a seamless experience.

Despite the benefits, the reality is that every platform, product or service can be hacked. Skilled white-hat hackers bring vulnerabilities and bugs to the developer’s attention while malicious hackers profit from the exploits they devise for the vulnerabilities. Hacked readers will remember a recent report wherein LastPass, a contender for the most widely used password manager of them all, was revealed to contain “a number of bugs, bad practices, and design issues,” as two security researchers put it. The researchers also claimed there is no “bug-free” software, insisting that any further research on password managers would “likely have similar results.”

Hacked spoke to Craig Lurey, the co-founder and chief technology officer of Keeper, a prominent password manager and digital vault that adheres to SOC-2 compliance, a top-level security certification.

Why isn’t consumer-end security given precedence? For instance, why is SOC-2 not widely implemented by security companies for end-users and consumers?

SOC-2 compliance is not easy to obtain because it structurally changes the entire software development process, security, operations and data management of the company.  It requires continuous improvement, optimization and a team that embraces the process.  We’re proud that Keeper is the only SOC-2 certified company across the entire password management industry. Keeper is also a Zero-knowledge security provider. Zero-knowledge is a system architecture that guarantees the highest levels of security and privacy by adhering to the following principles:

  • Data is encrypted and decrypted at the device level (not on the server)

  • The application never stores plain text (human readable) data

  • The server never receives data in plain text

  • No employee or intermediary can view the unencrypted data

  • The keys to decrypt and encrypt data are derived from the user’s master password

  • Multi-Layer encryption provides access control at the user, group and admin level

  • Sharing of data uses Public Key Cryptography for Secure key distribution

Data is encrypted on the user’s device before it is transmitted and stored in Keeper’s digital vault. When data is synchronized to another device, the data remains encrypted until it is decrypted on the other device.

We’re color-brand-white@2xconfident that Keeper is the most secure, certified, tested and audited password management and digital vault in the world. We are the only SOC-2 certified password management solution in the industry and certified by TRUSTe for online privacy.

Not only do we implement the most secure levels of encryption, but we also adhere to very strict internal practices that are continually audited by third parties.

Where is the Keeper user’s encrypted record stored?

Customer data is encrypted and stored locally on the user’s device using 256-bit AES.  The user’s master password derives an encryption key using PBKDF2, and that key decrypts other keys that are then used to encrypt and decrypt the record-level data.  Keeper uses multiple layers of encryption.

The cipher keys used to encrypt and decrypt customer records are not stored or transmitted to Keeper’s Cloud Security Vault. However, to provide syncing abilities between multiple devices, an encrypted version of this cipher key is also stored in the Cloud Security Vault and provided to the devices on a user’s account. This encrypted cipher key can only be decrypted on the device for subsequent use as a data cipher key.

If a person is interested to dig into the low-level encryption methods of Keeper, they can check out our open source API called Keeper Commander.  Our full security disclosure is published here.

Amazon recently and finally started two-factor authentication for its customers’ accounts. What are some of the practices that you see will gain wider adoption among the masses for better security?

The use of two-factor authentication is definitely a growing movement as companies begin to grasp the severity of data breaches. Adding a process like 2FA to control access over the network layer will become the norm in a few years time. Another process we see going mainstream is the integration of security directly into the hardware and software layers of devices. If devices come pre-loaded with security applications, users will develop better security hygiene from the start rather than having to learn a behavior.

How does Keeper ensure a safe account recovery process compared to other password managers’?

Keeper has a unique and secure Zero-knowledge account recovery process to ensure that customers can access their accounts in the case of a lost Master Password.

During account signup, you are asked to select a Security Question and Answer. Also during signup, Keeper generates a ‘data key’ which is used to encrypt and decrypt the ‘record keys’ stored with each of your vault records. Your ‘data key’ is encrypted with your master password, and each record key is encrypted with the ‘data key’. Each record has an individual, different ‘record keys’.

The way account recovery works is by storing a second copy of your data key that is encrypted with your Security Question and Answer. To complete a vault recovery, your are required to enter an email verification code, and also your Two-Factor Authentication code (if enabled on your account). We recommend creating a strong security question and answer, as well as turning on Keeper’s Two-Factor Authentication feature from the ‘Settings’ screen.

We’re the only product in the industry to offer this secure method of account recovery in a Zero-knowledge environment.

Are there any drawbacks to 2FA? If so, what are they?

Not really. 2FA can be implemented in many different forms, and most consumers are not familiar with the terminology.  This is why we refer to 2FA in our product as “Keeper DNA”.  We offer the user many choices and options in their 2FA configuration.  For example, users can authenticate with their Apple Watch or Android Wear device with a single tap.  Nobody else in the password management industry is offering this.

Full disclosure: I’m a user of LastPass’ free service. Why do I need to — if I need to — switch over to Keeper?

We’re the only Zero Knowledge and certified platform, made for the mass consumer market as well as the enterprise environment.  When you use Keeper, you’ll immediately notice the quality of the service and the ease of use across mobile, desktop and browsers.  We prioritize security and ease of use over quantitative features.  Many of our competitors such as LastPass are buggy, confusing, and springs fly out every time you use it.  Buggy and complex software inevitably leads to security vulnerabilities which has been reported widely in the press.  We spend a massive amount of time improving our user experience while building the most secure product.

Featured image from Shutterstock. Keeper logo from Keeper.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.