Locke Password ManagerLocke Password Manager
It might seem to you that not getting hacked is mostly luck. We all know someone who has been hacked while seemingly doing everything right. There isn’t a clear definition of what it takes to stay safe on the Internet.
The good news is that 95% of hacks stem from 2 simple and preventable attack vectors: passwords and social engineering ⬇️
A Story of Passwords and Phishing
The problem with passwords is that even seemingly great passwords are easy to steal. Any castle is vulnerable if you have a key to the front gate. Instead of typing rapidly on glowing computer terminals with green text in order to “hack the mainframe”, these days hackers simply send out massive amounts of email and text messages to try and get you to give them your credentials.
Phishing is the most common form of social engineering since it’s ridiculously easy for hackers to do. They can send out massive amounts of emails every day for little cost. Even though the vast majority of them don’t get opened, it only takes a few unwitting people to click on them to make money.
The bad news is that even by simply clicking on a malicious link the hacker can steal your current login session for a particular account, and use that session to masquerade as you for a limited period of time. Even though the time period of a given session is limited, it’s typically enough time for them to change the password to the account, thereby locking you out and taking complete ownership. So, to be safe on the Internet do not click on malicious links. In fact, don’t even open suspicious messages. For examples of phishing emails and messages see our forum.
There are other avenues of social engineering as well. With the rise of AI hackers can even perfectly impersonate a person’s voice over the phone, assuming they can get the voice data. This is a new and extremely pernicious form of attack that is very very difficult to protect against and can be devastating for families. Imagine you get a call from an unknown number, on the other end is a voice that sounds exactly like your child and they’re asking you to wire them $10,000 for bail. The sense of urgency in the call makes you act, and few people would blame you for losing that $10k.
But it’s not all doom and gloom! Keep reading to learn more about what can happen when you get hacked and how to avoid it completely.
What’s the Damage Doc?
There are different levels of consequences depending on the type of hack that has occurred. There are a lot of different type of hacks, but for simplicity let’s classify three. In order of severity:
(1) Re-used or master password hacks are the worst hack by a large margin because it allows a hacker to fully impersonate you.
Let’s imagine that someone phishes your Gmail account. Well, now they have complete access to your email. You know, the account you use to reset all your other passwords! That’s what we refer to as a “master” account. A master account enables hackers to wholesale impersonate you with little or no recourse. This can result in bank fund withdrawals, new lines of credit in your name, and a complete stolen identity.
If you re-use the same password or a variant of that password everywhere, then you’re in bad shape since a (3) can instantly become a (1). Don’t think you’re fooling the hackers by adding a extra exclamation to your bank password.
The consequences of a device hack can be drastic, though is usually more limited than a master account hack. In the worst case scenarios, a device being hacked may result in a master account being hacked meaning. You may even have to factory reset the device and lose unbacked up data in the process.
It’s Not Luck!
In short:
Accomplishing (3) is easy, simply make sure your social media profiles are private. If you have a lot of content of yourself out there just know the risk that entails and plan accordingly. With AI getting better everyday, deep fakes and AI voices are no longer science fiction.
Accomplishing (1) and (2) is far harder and are the very reasons why Locke exists today. Firstly, a truly strong password these days is far different from days past. 8 characters is simply not enough, even with symbols and uppercase and all the other esoteric password requirements in place. 12 characters is much better while 16 is the threshold to be truly secure and future-proof. The good news is that with a password manager you should only need to remember one 16 character password! We have a whole writeup on how to choose and remember a good password and it’s probably very different from what you’re expecting (all lowercase passwords are fine!).
Secondly, knowing what a malicious link looks is very difficult. Hackers are smart and they develop new ways to trick people everyday. The simplest way to avoid this is to stay educated on what malicious links look like and the patterns hackers use to make their websites look legitimate. Here is a link to some phishing examples. If you’ve seen or fell victim to a phishing attack recently, do your part to let other people know by adding it to our community list of phishing attempts.
Locke is currently working on developing a phishing filter machine learning model that can automatically protect you from malicious links. Stay tuned!
Locke provides an easy interface to use strong unique passwords on every website. We also provide a secure way to share passwords with family members and a social recovery option that is far more secure than email password resets.
Any password you store on Locke is encrypted using the most secure encryption algorithm currently available: XChaCha20. On top of that, all sensitive operations such as social recovery and password resets are done with a post quantum secure handshake using Crystals Kyber. This advanced cryptography results in 3 layers of encryption, providing a future proof fortress for your passwords.
Locke uses Shamir’s Secret Sharing and Crystals Kyber to create a a complete end-to-end secure environment to reset your password. This is in stark contrast to other password managers that either (a) don’t have a recovery mechanism or (b) keep a copy of your keys in order to provide recovery services. Locke’s social recovery feature is the holy grail of security, end-to-end encrypted and 100% recoverable.
Additionally, your recoverers receive absolutely no information about your password due to the information-theoretic secure properties of Shamir’s Secret Sharing.