Online password management with my1login
by Berislav Kucan - Wednesday, 29 May 2013.
In this day and age when everything moves from client computers to the cloud, a number of companies started providing online password management services. I recently attended Infosecurity Europe where I met with Mike Newman, CEO of my1login. His take on the security aspects of the service his company provides was quite interesting, so I decided to take a look at it.

my1login comes in two versions - Personal and Business - and I have tested them both. I'll start with the consumer version, as the enterprise product is built upon the same technology with specific functions that would be of interest to corporate users.

Security aspects

The product is basically transferring all of the functions of your typical desktop-based password manager online. The first thing that crosses my mind when considering this type of service is: "How secure is it?"

While I'm not that keen on moving private data of this kind to a place accessible to anyone, the my1login team took things seriously and they have implemented a number of security layers into their products.

Layer 1: Communication between the client and the my1login.com web site uses SSL - something that is rightfully expected of every site where a user needs to login or execute a transaction.

Layer 2: Users need to authenticate to the service via the login page sporting an atypical input form. Instead of entering their password (password policy is enforced), they are prompted to enter three random positions of the characters from their password. This approach is meant to thwart keyloggers.



Layer 3: Login details are stored on my1login.com using client-side AES 256 bit encryption. A custom phrase with multiple words is used for encrypting all the passwords in the account, making private data inaccessible to my1login. This key is stored only in a temporary memory space within the browser. For security reasons, the session times-out after a period of inactivity.

Every password or phrase input field has an on-screen keyboard alternative meant to further foil keyloggers. In order to protect the account holder, my1login automatically deactivates it following an undisclosed number of failed login attempts. You can get your account back by contacting their support.



my1login Personal

The personal version comes as a free solution with certain limitations when it comes to the number of login combinations you can store. You start with 15 logins, but you can interact with the system to raise the number, for example by tweeting or mentioning the service on Facebook.

If you don't want to do this, you can always pay a monthly ($2.50) or a yearly ($24) fee and upgrade to the Pro account. Besides the unlimited logins, the Pro account removes potential advertising from the web interface and the affiliate links it adds to specific bookmarks. Inserting affiliate links to sites like Amazon inside a security-focused product does not seem like a good idea, but you can always upgrade to Pro and get rid of them.

The bookmarks can be added via the user interface on my1login.com, or directly from the web site you want to logon to. The system uses a bookmarklet which can be installed in the bookmarks bar of your browser (IE, Opera, Safari, Chrome, Firefox). It contains javascript code, so have in mind that certain browsers like Internet Explorer will raise a security alert when you drag and drop it into the bookmarks bar. 



When opting for the manual approach and setting up new user credentials to web sites you want to access, you are provided with a password-generating engine that will enforce strong passwords.

When setting up accounts to sites like Twitter or web mail providers, the system provides an additional "I" icon next to the bookmark name. By clicking it, the screen on the right changes and should show a list of your recent tweets or received emails, but this feature is currently unavailable, and presents a note saying "my1login feeds currently disabled".



You can edit your bookmarks online and even share them with your colleagues. By doing this you are securely sharing specific user credentials with another my1login user. Good idea!

While the bookmarklet is installed in your bookmarks folder, you won't be able to use it directly when visiting a web site whose credentials you stored, as this option is available only in the business version. In the personal version, you'll need to start from the my1login.com interface, click on the link and then on the bookmarklet. If you try clicking the bookmarklet directly on a web site, you will be transferred to my1login where you'll need to pass through the steps I just enumerated.

The user interface is quite fast and it worked without a glitch in a couple of browsers I tried it on (Safari, Firefox).

my1login Business

The business version is aimed at the enterprise market and uses the same technology backbone as my1login Personal. After creating the first user, you will be prompted to choose whether you will be the administrator, a user, or whether you will share the admin role with someone.



The business version has a completely different interface. While the Personal version has the feel of a desktop application, this one seems simpler and sports a Web 2.0 look we all are used to by now. As a side note, my1login is planning an overhaul of the Personal version later this year with improvements to the user interface and experience.

The Business version includes the ability to:
  • Create users and workgroups
  • Share credentials with specific colleagues or workgroups
  • Log actions, allowing the administrator to gain insight into the users' web site usage (via logons)
  • Assess the security of the company's overall password policy.



The system works flawlessly. After having had to spend a portion of the last few reviews I've written on bugs and usage issues, I'm glad that I can skip it this time.

my1login Business is free for companies with up to 3 users, but the logins are limited to 15. For other use levels and prices, check out the company homepage (https://www.my1login.com/business/pricing.php?c=1). For now, the backends for the enterprise and consumer products are not aligned, so you won't be able to use the same account to access both versions. As I was told, this will change later this year.

The company recently addressed an issue that worries everyone who uses online services for storing data, namely "What happens in case the product is discontinued or the company goes under?"

my1login stresses out that they are confident in the product, their funding position and the longevity of the business, but they are working on a feature which will enable users to securely store a local copy of their data. There is a difference between online data backup services and online password managers - in case of absolute mayhem, you will lose your data, but you can always reset your passwords and get access to the web services you use.

If you are comfortable with moving this type of private data to the cloud, my1login is a service that you should definitely try out.



Spotlight

Intentional backdoors in iOS devices uncovered

Posted on 22 July 2014.  |  A researcher has revealed that Apple has equipped its mobile iOS with several undocumented features that can be used by attackers and law enforcement to access the sensitive data contained on the devices running it.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Jul 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //