What LastPass security issue means for RoboForm (Q&A)

After LastPass reported a possible security breach and potential theft of some of its users' master passwords last week, we wondered what it meant for other password managers, such as RoboForm.

Both LastPass and RoboForm help you create and manage strong passwords to log into the increasing array of secure Web sites that we all juggle these days. But is there an inherent vulnerability in relying on a single service to keep track of all your passwords? Should RoboForm users be concerned about the possibility of a similar "anomaly" exposing any of their data?

To answer those questions and learn how RoboForm strives to keep its own customers' data secure, CNET recently spoke with Bill Carey, RoboForm's vice president of marketing.

Q: Bill, from what you may know of what happened at LastPass, what was your take on it?
Carey: That's a good question. I don't think anybody really knows what happened yet. I'm not even sure LastPass really knows what happened yet. I've read some of the articles and I read their blog, and they said there was an anomaly. It appears someone had access to their servers for a certain amount of time and that there could've been a transfer of data. But I don't think it would be fair for me to comment on it because I'm not really sure what happened yet. But I appreciate that you're writing it from our standpoint because no one's really thinking about "well, who else is out there and what are they doing and how are they protecting [their data]."

Yeah, and that is more the point I wanted to get to. Assuming there was some kind of loss of data or breach at LastPass, can you describe RoboForm's security methods? What do you say to RoboForm users who may now be concerned about storing their data and passwords using a similar method?
Carey: First and foremost, the biggest difference between us and LastPass is that RoboForm by default stores your information on your computer. It's encrypted on your computer and it's always available from your computer. We have an optional RoboForm Everywhere service, which allows you to sync [your passwords] to the cloud. But primarily, we have always focused on the computer as being the hub for your information. It's going to be more secure on your computer naturally than it would be in the cloud. It'll be more secure in the sense that the likelihood of a hacker hacking into an individual computer is going to be less than [hacking into] 10,000 users with all their passwords in the cloud. So our focus has always been on the PC.

OK, so if the passwords are stored just on the PC, then it's up to the users to keep them protected and secure.
Carey: On the PC they have a master password, and then it would be up to the users to secure their PCs. But even more than that, hackers by their nature aren't going to go after individual PCs if they can go after a server with 10,000 users.

So then let's turn our attention to the RoboForm Everywhere option. How is that secure? What can you say to users who've opted for that service and may be concerned about their passwords being stored in the cloud?
Carey: Well, we believe our RoboForm Everywhere service is completely secure. We don't store your master password anywhere in the cloud, so you have that same security that you have on your PC. If someone were to access the server from the outside and download your data to their own PC, they would still need to know your master password in order to decrypt that information. I believe LastPass said they were worried about brute force attacks against peoples' master passwords.

I think they seemed to feel that if someone had a strong non-dictionary master password, then they were pretty much in the clear. But if someone had a weaker, more easily decipherable master password, then there was some concern.
Carey: And I think they're right about that. I think inherently if you have a strong master password, it's going to be difficult for someone to get that password and have access to that data, whether you're using RoboForm or LastPass. Now with ours, one of the things that makes RoboForm less subject to brute force attacks is that you'd have to script your brute force attack to actually go through the RoboForm software itself. And so it's going to be infinitely slower to try to brute force attack somebody because you have to write your script to use every combination of words that you want, it has to go through the software, and the software is going to have to return a value as to whether or not that worked. And that's going to be slower than if you have to brute force attack without that layer of software that we have. There's that extra layer of protection in there just by default.

One other difference between RoboForm and LastPass is that all of the RoboForm information is stored by default on your PC, even with RoboForm Everywhere. So if we were subject to some type of attack, let's say a power outage, you would still be able to log into all of your Web sites as you normally would. So all of these LastPass users who were getting shut out and weren't able to log into anything, that wouldn't happen with RoboForm Everywhere because there's a local copy of each individual file stored on your own PC.

What are the general recommendations that you give to your users? Obviously, number one would be to definitely use a master password.
Carey: Right. Definitely use a master password. Take all the normal security precautions you would with a master password. Make it difficult for somebody to guess but easy for you to remember. Some combination of letters and numbers, and if you can, special characters. You also can have a different RoboForm Everywhere password than your master password. You can have that second level of protection by having two different passwords. So the RoboForm master password provides the encryption, but then your access control is through your RoboForm Everywhere password.

We've also secured our servers at a Tier-1 hosting facility. We've done all the access controls. All the data between the computer and the server is encrypted. But whenever you're dealing with stuff on a server, there's always an inherent risk of security. There's always going to be someone out there trying to hack you. But we believe we've put in strong security measures in order to prevent this type of thing from happening.

Is the whole concept of using passwords something that needs to be rethought? There's always been talk of other types of authentication methods, such as biometric security, fingerprints, etc. Do you think the industry needs to look beyond passwords, or are these biometric methods more like science fiction at this point?
Carey: I think that's a good way to put it. I think things like retina scans and biometric authentication and things along those lines are still science fiction at this point. I don't think they're user friendly yet. I don't think they're totally secure yet. There are a lot of fingerprint [readers] that will recognize your fingerprint. But a hacker can just go in there and bypass the biometrics. When you scan your fingerprint, your fingerprint returns a value of true or false, and a hacker can go in there and fake out the true or false response. So I don't think fingerprint readers are necessarily secure. Now I think if you use them in conjunction with [passwords] then you have a win-win situation. Then you have the two factor authentication, which would make it a little harder for people to crack.

Does RoboForm offer fingerprint reading as an option or alternative to a master password?
Carey: We do have some fingerprint support now and we're working on improving it. And you'll be able to do it as either a single factor where the fingerprint will actually work in conjunction with the existing master password. So if you swipe your finger, it'll give you access. Or you'll have the option of doing it so that you need to supply both a fingerprint and a master password.

In light of the LastPass incident, have the folks at RoboForm talked about making the product more secure, or are you comfortable with the security you have it place?
Carey: We're comfortable with the security methods we have in place now. But at the same time, we never rest. We're always thinking about ways to make things more secure and harder to access. We've had some conversations about what we need to change, if anything, but we don't have any immediate action items right now.