Now Reading
The Security of Your Password Vault: An Interview with Keeper’s Co-Founder

The Security of Your Password Vault: An Interview with Keeper’s Co-Founder

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
by Samburaj DasDecember 7, 2015

Passwords. The keys to verify your credentials on every single online platform that you use. With the multitude of social media accounts, online services, email addresses, banking logins and more, it is entirely likely that you may find remembering multiple passwords (a good security practice) to be, overwhelming.

If you’re an everyday user of the Internet frequenting several websites that seek credentials, you are likely to be using a password manager, or an encrypted password vault that stores your passwords. Password managers are a no-brainer solution in this day of mandatory form-filling and entering credentials. They are now available as cross-platform products that can be installed as an application on your phone. Quite simply a no-brainer, a password manager helps make your time spent on the internet to be a seamless experience.

Despite the benefits, the reality is that every platform, product or service can be hacked. Skilled white-hat hackers bring vulnerabilities and bugs to the developer’s attention while malicious hackers profit from the exploits they devise for the vulnerabilities. Hacked readers will remember a recent report wherein LastPass, a contender for the most widely used password manager of them all, was revealed to contain “a number of bugs, bad practices, and design issues,” as two security researchers put it. The researchers also claimed there is no “bug-free” software, insisting that any further research on password managers would “likely have similar results.”

Hacked spoke to Craig Lurey, the co-founder and chief technology officer of Keeper, a prominent password manager and digital vault that adheres to SOC-2 compliance, a top-level security certification.

Why isn’t consumer-end security given precedence? For instance, why is SOC-2 not widely implemented by security companies for end-users and consumers?

SOC-2 compliance is not easy to obtain because it structurally changes the entire software development process, security, operations and data management of the company.  It requires continuous improvement, optimization and a team that embraces the process.  We’re proud that Keeper is the only SOC-2 certified company across the entire password management industry. Keeper is also a Zero-knowledge security provider. Zero-knowledge is a system architecture that guarantees the highest levels of security and privacy by adhering to the following principles:

  • Data is encrypted and decrypted at the device level (not on the server)

  • The application never stores plain text (human readable) data

  • The server never receives data in plain text

  • No employee or intermediary can view the unencrypted data

  • The keys to decrypt and encrypt data are derived from the user’s master password

  • Multi-Layer encryption provides access control at the user, group and admin level

  • Sharing of data uses Public Key Cryptography for Secure key distribution

Data is encrypted on the user’s device before it is transmitted and stored in Keeper’s digital vault. When data is synchronized to another device, the data remains encrypted until it is decrypted on the other device.

We’re color-brand-white@2xconfident that Keeper is the most secure, certified, tested and audited password management and digital vault in the world. We are the only SOC-2 certified password management solution in the industry and certified by TRUSTe for online privacy.

Not only do we implement the most secure levels of encryption, but we also adhere to very strict internal practices that are continually audited by third parties.

Where is the Keeper user’s encrypted record stored?

Customer data is encrypted and stored locally on the user’s device using 256-bit AES.  The user’s master password derives an encryption key using PBKDF2, and that key decrypts other keys that are then used to encrypt and decrypt the record-level data.  Keeper uses multiple layers of encryption.

The cipher keys used to encrypt and decrypt customer records are not stored or transmitted to Keeper’s Cloud Security Vault. However, to provide syncing abilities between multiple devices, an encrypted version of this cipher key is also stored in the Cloud Security Vault and provided to the devices on a user’s account. This encrypted cipher key can only be decrypted on the device for subsequent use as a data cipher key.

If a person is interested to dig into the low-level encryption methods of Keeper, they can check out our open source API called Keeper Commander.  Our full security disclosure is published here.

Amazon recently and finally started two-factor authentication for its customers’ accounts. What are some of the practices that you see will gain wider adoption among the masses for better security?

The use of two-factor authentication is definitely a growing movement as companies begin to grasp the severity of data breaches. Adding a process like 2FA to control access over the network layer will become the norm in a few years time. Another process we see going mainstream is the integration of security directly into the hardware and software layers of devices. If devices come pre-loaded with security applications, users will develop better security hygiene from the start rather than having to learn a behavior.

How does Keeper ensure a safe account recovery process compared to other password managers’?

Keeper has a unique and secure Zero-knowledge account recovery process to ensure that customers can access their accounts in the case of a lost Master Password.

During account signup, you are asked to select a Security Question and Answer. Also during signup, Keeper generates a ‘data key’ which is used to encrypt and decrypt the ‘record keys’ stored with each of your vault records. Your ‘data key’ is encrypted with your master password, and each record key is encrypted with the ‘data key’. Each record has an individual, different ‘record keys’.

The way account recovery works is by storing a second copy of your data key that is encrypted with your Security Question and Answer. To complete a vault recovery, your are required to enter an email verification code, and also your Two-Factor Authentication code (if enabled on your account). We recommend creating a strong security question and answer, as well as turning on Keeper’s Two-Factor Authentication feature from the ‘Settings’ screen.

We’re the only product in the industry to offer this secure method of account recovery in a Zero-knowledge environment.

Are there any drawbacks to 2FA? If so, what are they?

Not really. 2FA can be implemented in many different forms, and most consumers are not familiar with the terminology.  This is why we refer to 2FA in our product as “Keeper DNA”.  We offer the user many choices and options in their 2FA configuration.  For example, users can authenticate with their Apple Watch or Android Wear device with a single tap.  Nobody else in the password management industry is offering this.

Full disclosure: I’m a user of LastPass’ free service. Why do I need to — if I need to — switch over to Keeper?

We’re the only Zero Knowledge and certified platform, made for the mass consumer market as well as the enterprise environment.  When you use Keeper, you’ll immediately notice the quality of the service and the ease of use across mobile, desktop and browsers.  We prioritize security and ease of use over quantitative features.  Many of our competitors such as LastPass are buggy, confusing, and springs fly out every time you use it.  Buggy and complex software inevitably leads to security vulnerabilities which has been reported widely in the press.  We spend a massive amount of time improving our user experience while building the most secure product.

Featured image from Shutterstock. Keeper logo from Keeper.

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
What's your reaction?
Love it
Hate it
  • Bob Archer

    “Many of our competitors such as LastPass are buggy, confusing, and springs fly out every time you use it.”

    Such FUD. Also, Last Pass is a zero knowledge product too at half the price.

    Security questions can be less secure than a strong password. The user is always the weakest link in the chain.

    • P. H. Madore

      Although I agree it’s fuddish, you should check out some recent and interesting vulns discovered in LastPass:

      That’s not to say Keeper won’t have its own problems, and for the record I still use LastPass, though I’ve followed the researcher’s recommendations.

  • aaron ashfield

    We should not be using a password vault. The solution is to KILL passwords. Secure Access Technologies removes all passwords, and replaces them with a fingerprint on your phone.

  • Hua Li

    These days we have so many passwords to remember. We need passwords for email accounts, banking websites, social media accounts, online shopping, just about everything needs a password! The average person needs to log into about 20 different accounts regularly and passwords often have requirements that you need to include numbers, symbols and capital letters. How can we remember so many different complex passwords? Although the experts warn us not to use the same password for all our accounts, most of us are guilty of this little shortcut.

    However, reusing the same password for all your accounts carries great risk. If even one of your accounts is hacked, then criminals can get access to all your important accounts, including bank accounts! Or if hackers gain access to your email account then they can use the password reset links on websites to gain control of your other accounts.

    A solution to this problem, is to use a secure password manager to store and even generate passwords for you. CoverMe’s encrypted password protected vault includes a password manager for you to store all your passwords.

    CoverMe’s secure password manager is organized into 6 categories: ID Cards, Wallet, Web Sites, Accounts, Email, Others.

    In ID cards, you can store information like driver’s license, passport and membership cards. In Wallet, you can save your credit card, debit card, bank account, Paypal and Alipay information. In Website, you can store information about any website you want and the most popular websites are already listed to get you started, such as Facebook, Google and YouTube. Accounts is where you would put information about your computer password, server password, iTunes and Dropbox. In Email, you can save passwords for Gmail, Hotmail and Yahoo or any other email accounts. In Others, you can save things like software license key, calling card numbers or whatever you like.

    CoverMe’s not only stores passwords, but it can also generate unique, random passwords for you to use. Use CoverMe password manager to safely store all your passwords for you on your phone!