Best practice to keep your trade secrets private: avoid Password Managers

by Paul Rubell, Esq.

Information is the currency of 2017. For this reason it is mission-critical to keep data currency safe, secure and private. Just as gold bricks should be stored in a physical safe, data needs to be kept secret electronically.

Passwords are the key to enter the digital vault. Strong passwords are designed to thwart hacking attacks but their drawback is that they can be difficult to remember. A weak password such as “123456” can be memorized, but a more clever password like “A1@b2*C3(d)Zx4#” can be readily forgotten. And when numerous passwords are deployed to protect data further, the problem is exacerbated. There are many ways to keep track of passwords. Although no single method is fool-proof, some techniques are more iron-clad than others.

In order to achieve data privacy, software developers urge their customers to purchase password manager applications. Some apps store passwords in the cloud on a remote web server; others host the electronic keys locally on a mobile or desktop device. In addition, some apps generate complex passwords using mathematical algorithms and store them in a data capsule. No matter how an app’s technology functions, the unifying theme is to secure all points of entry to electronic information in a single place. Experts urge us to use password manager applications for this reason. By the way, it does not matter whether an app is free of charge or not. What really matters is the app’s functionality and security.

As a result, many people download password managers for their Android phones such asgold LastPass, Keeper, 1Password, My Passwords, Dashlane Password Manager, Informaticore Password Manager, F-Secure KEY, Keepsafe, and Avast Passwords. Each of these popular apps has been download from the Google Play store between 100,000 and 50 million times. What a relief to know that one’s data currency is secured and encrypted.

Unfortunately their security is just vaporware. On February 28, 2017, a group of German security experts issued a report showing that all nine of these apps contain vulnerabilities that make them susceptible to compromise by hackers. In some cases the master key that locks the cryptic safe is stored in plain text, visible to the naked eye let alone to a computer. In other cases features that have been designed to make the apps user-friendly, such as auto-fill, are themselves insecure. To make this point crystal clear — the software developers built their apps with vulnerabilities built in.



Relying on an app in the cloud to keep a company’s trade secrets private is irresponsible.  If you need a financial incentive to protect your company’s golden eggs, you should be aware that some cyberliability insurance policies exclude data breaches from insurance coverage, if the breach might be related to the company’s use of insecure software applications such as password managers. It is incumbent upon each of us to design protocols and corporate policies that maintain the integrity as well as the privacy of the gate-keepers to our most important and vulnerable trade secrets.

Caveat emptor.  Let the buyer beware.  Best practices demands more from each of us than downloading apps from that iCandy Store in the Cloud.” The Google Play store is insecure, as are the password manager apps that are available for download there. After decades of building your business, it is reckless for you to rely blindly on public software to protect your golden goose. Your company does not want to litigate and you do not want to lose a shareholder derivative lawsuit claiming that you breached your fiduciary duty by failing to secure information.

Take due care and exercise due caution.  Get expert advice.  Purchase cyberliability insurance.  Develop best practices.  Build a digital Fort Knox to keep safe your business’ trade secrets.

best practices sign






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s