Interview of Cybernews with Sascha Pfeiffer
Spotting compromised passwords until it’s too late is rather a tough task, there are only some vague and obvious things to look out for.
Unsecured, reused, and weak passwords are one of the main cybersecurity threats that influence not only social media users but also large companies and governmental institutions. Exposed passwords are equal to identity theft, financial losses, and many more long-term consequences.
Now, society is aware of the importance of password managers. Yet, it’s rather difficult to find the most important features to look for, and it’s crucial to know what additional measures improve online security. The Managing Director of Psono password manager, Sascha Pfeiffer, agreed to share his views regarding cybersecurity with the Cybernews team.
Let’s go back to the very beginning. What did the development of Psono look like?
It was in 2015 that I decided to program Psono. No solution existed at that time that would allow a company to host a service on their servers to manage passwords with client-side encryption of all the stored secrets. I talked a lot to my friends about how it should work or what my cryptographic approach looked like and to some aspect probably bored them to death. The first public version was released in 2017 and then extended over time. First with extensions, files, apps for iOS and Android. All that just as a side project, basically my complete free time, weekends, and holidays went into the product. In 2020, I decided that I wanted to pursue this and founded esaqa GmbH which was a tough choice to make at that time. COVID was at its peak and toilet paper was rare… But the choice paid off and we gained quite a few customers even without any real marketing, just people who used our community edition before were purchasing our enterprise product. The election of the new German government with the commitment to users having the right to encryption was a huge relief. Before it looked like the German state could require software vendors to implement backdoors which is now completely off the table.
Can you introduce us to your password manager? What are its key features?
Psono allows you to store and share passwords securely with co-workers and family members. There are a couple of points that make Psono stand out. First, you can host things on your servers. This decentral approach makes it extremely resilient against attacks in comparison to vendors that host things centrally for their clients where a single vulnerability will expose all passwords of all clients. Psono’s stack is open source and as such can be audited for vulnerabilities and backdoors. As a German vendor, we provide user privacy committed alternatives to other solutions. All passwords and other secrets are encrypted before they ever leave the user’s device and can only be decrypted by the user. All entries can be shared with other users and an extensive permission concept with groups allows extremely flexible configurations making it a perfect choice for companies.
What was the vision behind making Psono open source? Can you tell us more about the ins and outs of open source security software?
Being open source is part of our security model. You should not trust any software that you cannot audit. This is especially true for one of your most crucial pieces of software, a password manager. There is of course an intrinsic love for open-source software. When I think back to how I felt when my first Ubuntu booted on my Laptop, I am becoming quite nostalgic. So, we all stand on the shoulders of giants and without open-source software, we all would live in the IT stone age. Being open-source also has other advantages as it provides access to some marketing channels that are exclusively available to open-source vendors.
Some experts say that we are currently moving towards a passwordless future. What are your thoughts about this approach?
The trend is usually repeated by vendors of solutions that try to sell their software as the solution to this issue. I believe passwords won’t disappear in the next 30 years. The problem is that no proper solution has emerged so far. Usually, they have multiple downsides. Legacy tools usually cannot be connected. Implementing a solution across all devices, software, and systems is hard. Public options like all these OAuth services impose the risk of the service closing your account or denying you access for some reason causing you to lose all your connected accounts. Passwords have a lot of problems yet all the current known alternatives have their issues.
Have you noticed any new threats arise as a result of the current global events?
I want to be careful, yet I honestly don’t think that there are new threats arising regarding the current global events. There is for sure more desire for security and protection, yet the IT security side could only benefit moderately. This for sure can change quite quickly if new hacks become public.
In case of a security breach, what should be the first steps for a business to protect its workload as well as its customer data?
The first step would be mitigation. Try to unplug the internet, network, power off servers and services to prevent any further damage. The second step would be to start services again in an isolated fashion and try to identify what happened, how did it happen, potentially with some external help from professionals that will help you to answer these questions. The third step would be to inform affected customers. Explain the details and potential risks. When you bring up your services again, rotate credentials and make sure that the attacker didn’t leave any backdoor that he could use to regain access to the systems. Investigate how to prevent problems of similar nature in the future and implement those guards. Usually, that’s where password managers come in if the company doesn’t have one yet.
How can one find out if their password has been compromised? Are there any early warning signs that can often be overlooked?
It’s usually quite hard to spot compromised passwords, there are only some vague and obvious things to look out for. Like suspicious activity, email notifications of changed passwords or logins from unknown locations, or bank transfers that you haven’t authorized. Psono has a nice feature included that checks public services like haveibeenpwned.com for known password breaches, so it will detect if your password was ever compromised. Usually, it's better to think preemptively. What you can do to prevent your password from being compromised is using truly random passwords and never reusing passwords; that's where a password manager is your only choice.
Besides strong authentication, what other security tools do you believe everyone should incorporate into their lifestyle?
There are a lot of tools yet as most attacks go through email I would say a proper email service provider is your first line of defense. Gmail and Outlook do a really good job of preventing spam, phishing, and blocking suspicious content. The second most important tool that you can implement is two-factor authentication. Use it wherever you can. We partnered with Yubico to implement the support of Yubikeys into Psono (next to alternatives like Google Authenticator and others). The second factors prevent most of the downsides that passwords are criticized for.
Share with us, what’s next for Psono?
I don’t know where I should start. Product-wise we are currently working on a new version of our web client that was completely rewritten. The App is another major construction site as we want to make it the best in class app for passwords. Business-wise, I am not yet allowed to say anything, yet there are some huge corporations on the way that will provide customers with broad access to password managers.
