Interview: Keeper Security CEO On Recovering From Breaches And The Relevance Of Password Managers In A Passwordless World
Darren Guccione, Chief Executive Officer and Co-Founder at Keeper Security, discusses the importance of password security in a world that’s becoming increasingly passwordless.
Keeper Security is a leading password, secrets, and privileged access management solution that helps organizations and individuals to secure their online accounts by eliminating poor password practices. Keeper’s password manager provides a vault within which users can securely store and share passwords—they only need to remember one “master password” to access that vault. This ensures that users are creating strong, complex passwords for all of their accounts, without requiring them to remember all of those passwords.
Darren Guccione, CEO and Co-founder of Keeper Security, has always been a serial inventor and entrepreneur. He co-founded Keeper, with CTO Craig Lurey, in 2011, with the goal to “not just build a great business, but also provide a lot of social good and protect millions—if not billions—of people globally against cyber criminals.”
Expert Insights recently interviewed Darren to discuss how organizations should respond to a password breach, why security should be at the core of identity security vendors as well as the solutions they provide, and the role of password managers in a world that’s moving beyond passwords.
Why Should We Use Password Managers?
In recent months, a leading password management provider experienced a breach that affected the security of its customers’ accounts. As a result, many password manager users have been calling into question the security of password managers themselves. Why should they continue to use password managers when such breaches are possible?
The reality is that managing passwords manually is difficult and frustrating. We live in a digital world and, as such, we all have a lot of online accounts—from work apps to fitness apps, from email to retail, from banking to social media. And when all of those accounts need to be protected with a unique, complex password, it’s no wonder that 8 out of 10 people find password management difficult. Remembering unique passwords for each account is tough, so many of us re-use passwords or store them in an unsecure file that we can easily refer to. But if we can easily read that file, so can a cybercriminal. And according to recent research by Keeper Security, this problem extends to the enterprise—in a survey of US IT leaders, 30% of respondents allow employees to set and manage their own passwords—and admit that employees often share access to passwords.
“A password manager is the best way to manage and protect your passwords for any application, website, or system. There is no other way to do it efficiently, effectively, and securely,” says Darren. “The key here is that you don’t want to reuse passwords or use weak passwords—more than 80% of data breaches are the result of weak or stolen login credentials, secrets, or passwords.”
The use of password managers is recommended by industry experts and leading government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA). A password manager can mitigate the risk of account compromise caused by weak credentials by helping users create complex passwords for all of their accounts. The password manager stores a user’s passwords in a secure, encrypted vault. This can only be accessed by using their “master password”—the vault’s decryption key, which is known only to them. This means that users need only remember one single master password, in order to gain access to all of their accounts.
If Your Provider Is Breached, Secure Your Accounts
If a user has been affected by a password breach—be that because their provider was breached, or because one or more of their passwords have been exposed in a wider credential theft attack—there are three steps they should take to ensure their accounts are safe.
- First, they need to lock their finances with their banks and credit providers, to ensure that a threat actor can’t steal any money from their accounts.
- Second, they need to change all the passwords that have been compromised. “Go to every single site, system, and application that you use, and make sure you have a high strength, random password for each one,” says Darren. “It should be a minimum of twelve characters and contain letters, numbers, and symbols.”
- Finally, if a user found the security of their accounts to be compromised because their provider was breached, they may want to consider moving to another provider. In this case, they should “do the research and move,” Darren advises. “You want to have peace of mind; you don’t want to have to lose sleep at night… A lot of these tools have import wizards, where you can import your entire vault from alternative products straight into the application. It’s fast, it’s easy, and it’s very secure.”
When Choosing A Password Manager, Prioritize Security
As evidenced by the recent breach on LastPass, cybercriminals are increasingly targeting service providers in an attempt to access the data of their customers. Threat actors are continuously finding increasingly sophisticated ways to carry out their attacks, and it’s inevitable that some of those attacks will be successful. However, this doesn’t mean that we should turn away from using these types of products altogether.
“It’s important to remember that just because one company had a breach, that doesn’t necessarily mean that the entire industry has a problem,” Darren tells Expert Insights. But, he adds, if you’re looking for a new password security provider, there are two main areas you should look into before investing.
First, make sure the product is built on a zero–trust infrastructure, using a zero-knowledge architecture. Multi-layered encryption is a key component of this, Darren explains. Most password managers let the user access their vault via a master password decryption key, but it shouldn’t stop there. The strongest solutions also implement layers of encryption at a folder and file level within the vault.
“When every single record has a unique key, it’s very difficult for a cybercriminal to decrypt an entire vault—even if they’re able to steal the binary and gain access to the end user’s device,” Darren explains.
Second, make sure there is transparency and clear documentation not just regarding the security of the product, but of the organization providing it.
“Is the organization FedRAMP and StateRAMP Authorized? Is it ISO certified in Europe? These types of key security certifications should be stated in the company’s documentation as part of their website.”
The Future Of Password Security In A Passwordless World
The identity security industry is evolving, with many technology providers—including Microsoft and Apple—encouraging their users to go passwordless and use FIDO authentication technologies.
But despite this push toward passwordless authentication, password managers are still a critical part of any organization’s security infrastructure, says Darren— but they need to evolve and embrace the changes to the identity space.
“We have passwordless technology built into our application already, and with this movement toward Passkeys, we will be integrating with that,” he says. “The idea of having something that’s secure and elegant is always going to be appealing.”
However, he emphasizes the need for organizations to realize that passwordless is a feature, not a full security solution.
“When you authenticate into any website application or system seamlessly and elegantly, e.g., by using standard assertion markup language coupled with biometric authentication, that works beautifully. But how do you handle the full end-to-end encryption for every single credential, secret, all of your metadata, and all of the sensitive files?”
Authentication and encryption are not the same; they should be used in tandem. And password managers can help unify the two by providing support for seamless authentication, as well as secure, encrypted storage of not only passwords, but sensitive metadata and files that mustn’t fall into the wrong hands. “The technology has some way to go,” Darren says, “but I think that the vendors are working together to build more elegant, robust solutions that can unify passwordless with authentication and full end-to-end encryption.”
You can read the complete Expert Insights Q&A with Darren Guccione here.