back to article OneLogin breached, hacker finds cleartext credential notepads

Password attic OneLogin has been breached, and it's bad, because the service that suffered the breach is one often used by people to store credentials like admin password and software keys. The online credential manager says its Secure Notes facility was breached, allowing the intruder to read in cleartext notes edited between …

  1. joed

    cloud

    nothing of value or only locally (client side) encrypted stuff belonged there.

  2. Anonymous Coward
    Anonymous Coward

    Three months?

    So are the logs so full of errors that nobody reads them or is this willful negligence?

  3. moiety

    The online credential manager says a its Secure Notes facility was breached, allowing the intruder to read in cleartext notes edited between 2 June and 25 August this year.

    Well give yourself a good slap if you use an online password silo without encrypting it yourself first. But mostly, how is it even possible for the service to obtain your notes in plaintext if it's meant to be secure? If the service can read your notes, they're not fucking secure, are they? The hacking is just the cherry on the top, really. This might have been understandable if it was historical data from 2002 or something; but this is how they're doing it this month! Wow.

  4. Novex
    Facepalm

    Dear god, when will people realize that putting any kind of authentication or authorization details in the cloud is a REALLY STUPID IDEA!

    1. LDS Silver badge

      This kind of systems just becomes high return targets. Compromise one of them and you have the needed data to compromise a lot more easily. They become appealing targets like banks, but at least if someone robs a bank doesn't get access to everything else you have - and the bank is accountable.

  5. Anonymous South African Coward Silver badge

    Derp durr.

  6. Anonymous South African Coward Silver badge

    Whilst on this topic - what is wrong with a password-protected Excel file placed on a folder with restricted access? So that only IT (sysadmins etc) can view that file, but for normal lusers it is inaccessible?

    1. gerdesj Silver badge

      "Whilst on this topic - what is wrong with a password-protected Excel file placed on a folder with restricted access? So that only IT (sysadmins etc) can view that file, but for normal lusers it is inaccessible?"

      In an ideal world - nothing really. However spreadsheets have a habit of wanting their information to be freely available.

      I recommend KeePass instead - it's designed for the job.

    2. Allan George Dyer Silver badge

      Sure it'd be a lot better than using a cloud service that doesn't do its job... But:

      "what is wrong with a password-protected Excel file"

      Check out the number of Excel file crackers that are available. You'd want to use a strong password.

      "only IT (sysadmins etc) can view that file"

      You loose accountability when there is more than one person who can view the file.

      There are trade-offs. Sealing a password in an envelope in a safe is another option.

      1. This post has been deleted by its author

        1. Allan George Dyer Silver badge

          @Symon - mea culpa

          Agree that a password safe is another good option. Doesn't beat the envelope option when the admin has been run over by a bus, though. It's all tradeoffs.

      2. LDS Silver badge

        Just another way to use Excel instead of a proper database.... which at least usually has better access control.

        Anyway it's funny people still fail to understand "shared logins/password" are baaaaaaad (and just plainly lazy). Each and every user must have its login/password pair. It makes accountability clear, it allows for revoking access easily, it allows for more granular permission (not everybody needs full privileges).

        "Disaster recovery" is a different issue. Your boss may want to have a "disaster recovery" account stored safely somewhere if something happens to each and every authorized people. Still, this disaster recovery account must be one separated from all the others, and never used for everyday use.

      3. Anonymous South African Coward Silver badge

        "Check out the number of Excel file crackers that are available. You'd want to use a strong password."

        - Am aware of this, a strong password is being used.

        "You lose accountability when there is more than one person who can view the file."

        So it seems the only safe option is a baggie with a numbered seal ~ a sealed baggie for each and every critical system password, if anybody need access to a certain account and password, it is recorded in a logbook, baggie handed over, seal broken, password retrieved, new password generated, placed in baggie with new seal, and recorded in logbook...

        A major schlepp, but if you're really strict about security...

    3. hplasm Silver badge
      Meh

      "...what is wrong with a password-protected Excel file..."

      Excel- that bit.

  7. J. R. Hartley Silver badge

    Shitting crikey

    Anyone who ever used a service like this needs their head checked.

    1. Hollerithevo Silver badge

      Re: Shitting crikey

      Don't be silly -- if you have only one password for everything, you don't have to write it down. And if it's the word 'password' plus a number, you'll always know it's your password! Such an easy problem to fix!

      1. Anonymous Coward
        Anonymous Coward

        Re: Shitting crikey

        Brilliant and so easy. It's a wonder others haven't thought of that. ;)

  8. malle-herbert
    Joke

    And that's why...

    I allways keep my passwords safely stored on a post-it note attached to my monitor...

    1. gerdesj Silver badge

      Re: And that's why...

      "I allways keep my passwords safely stored on a post-it note attached to my monitor..."

      You joke but actually, provided you evaluate the risks involved for the particular password stored on the PostIt, that could be close to the most secure place for it.

      The most secure place is obviously the top drawer on your desk, which is the second place IT look when attending a call where the user has buggered off.

      1. Knewbie

        Re: And that's why...

        nah, following the mandatory security course the admins had to call HR and get the children names and their date of birth...

        1. Bogle
          Joke

          Re: And that's why...

          "nah, following the mandatory security course the admins had to call HR and get the children names and their date of birth..."

          Round here we just check the tats on the backs of their necks ...

    2. Ken Moorhouse Silver badge

      Re: stored on a post-it note attached to my monitor...

      Two questions:-

      (1) Do you wear glasses?

      (2) Do you communicate with others via a webcam?

  9. CharlieK

    Full client-side encryption is a must

    That's a lesson for any company using a solution of this type. Don't use a vendor that doesn't employ full client-side encryption. That way, even the vendor's employees can't see your data.

    I've worked for several companies that use more secure alternatives such as Okta, PingIdentity and My1Login.

    I repeat, you must use full client-side encryption. You can check for this using debug tools in the browser and see for yourself.

  10. Dave Walker 1
    FAIL

    A friend of mine suggested this to scare me:

    https://haveibeenpwned.com

    Wonder if this one will appear there too...

  11. Anonymous Coward
    Anonymous Coward

    Now that Dropbox burped a lot of passwords, I wonder who'll be next...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019