I had an informative chat with Keeper Security CEO Darren Guccione at Chicago Techweek. It’s description says it’s “a secure and easy-to-use password manage and file-vault.” Made me think of LastPass and 1Password. Digging a little deeper, however, Keeper Security is more like LastPass and Dropbox on encryption and security steroids, with Mission:Impossible self destruct mechanisms.
I wanted to know more, and here are three take-aways from my talk with Guccione.
Security and Encryption
It’s Security page on its website states the following:
KSI does not have access to a customer’s master password nor does KSI have access to the records stored within the Keeper vault. KSI cannot remotely access a customer’s device nor can it decrypt the customer’s vault. The only information that Keeper Security has access to is a user’s email address, device type and subscription plan details (e.g. Keeper Backup). If a user’s device is lost or stolen, KSI can assist in accessing an encrypted backup file to restore the user’s vault once they have replaced their device.
Information that is stored and accessed in Keeper is only accessible by the customer because it is instantly encrypted and decrypted on-the-fly on the device that is being used – even when using the Keeper Web App. The method of encryption that Keeper uses is a well-known, trusted algorithm called AES (Advanced Encryption Standard) with a 256-bit key length. Per the Committee on National Security Systems publication CNSSP-15, AES with 256-bit key-length is sufficiently secure to encrypt classified data up to TOP SECRET classification for the U.S. Government.
The cipher keys used to encrypt and decrypt customer records are not stored or transmitted to Keeper’s Cloud Security Vault. However, to provide syncing abilities between multiple devices, an encrypted version of this cipher key is stored in the Cloud Security Vault and provided to the devices on a user’s account. This encrypted cipher key can only be decrypted on the device for subsequent use as a data cipher key.
That sounds technical and complicated. I’m skeptical of technical and complicated. Guccione explained it by giving the example of a hacker somehow gaining access to the vault. All the hacker will have is binary code. The system is designed so that the user keeps the encryption keys.
Let me repeat that. The USER, people like you and me, always have the encryption keys, not Keeper.
I asked what happens if the government comes knocking, or Keeper gets served with a subpoena. The same thing: the government or whomever gets the binary but there is nothing else Keeper can do. Only the user can decrypt the data.
That raised some other questions for me, especially while he talked about perfect forward secrecy as I heard that mentioned once before. After the security sessions on Saturday, I got the impression that perfect forward secrecy is used by those thinking ahead, like Keeper Security and Wickr.
Self-Destruction and Restoration
Next obvious question: what happens if my device gets lost or stolen? I’m thinking of remote wiping my phone, and the general nightmare of having to reset all of my passwords for sites and apps I use every day, and hoping I don’t forget to reset ones that are also important but not often used. Guccione shows me, on his iPhone, what happens when you use the wrong password for the Keeper app. After four failed attempts, the app self-destructs. Poof! It’s gone.
I am notorious forgetting passwords, a point Guccione hears often and told me now all I had to do was remember one password: the Master Password. So I installed Keeper, set myself up and went about the conference. Sure enough, yesterday in fact, I forgot my Master Password. Five tries and poof! The FAQ makes it clear that DOING SO ERASES EVERYTHING in your Keeper profile, on your device. The data sits, in binary, in a vault, and the Support team can only tell me the date of the last sync. Once my Master Password is reset, I can do a restore. Whatever was there at the last sync shows itself.
I was running out of reasons not to like this app, so I thought of all the websites and apps that require user names and passwords, most of which I would have to reset and then enter into the app. Guccione was way ahead of me.
This about sold me.
Creating complicated passwords is easy. Since I often reset my passwords, there’s really no point in creating ones I can remember. Resetting passwords is annoying, and sometimes time consuming if I’m not near a laptop. Keeper solves all of this with a dice icon. Just press it and a new random, complicated password is generated.
Big whoop, right? Cracking passwords is a hobby for some, as breaches this year have demonstrated. As if sensing my skepticism, Guccione explained that testing revealed it would take a hacker upwards of 2,000 years to crack a password randomly generated by Keeper. That saves me the trouble of thinking up complicated passwords I am guaranteed to forget.
Solving the BYOD Pain Point
Autopassword generation has another benefit: it simplifies managing network passwords. Coupled with its Keeper for Groups offering, securely sharing information from whatever device you prefer sounds like heaven. Social media management accounts, documents, pretty much all you email back and forth. Guccione mentioned how real estate agents use it to store codes for houses, files and other information normally kept in a paper file in a cabinet or in their hands if showing a house.
For system administrators, they have control through an admin panel. If an employee leaves, say, the system administrator can disconnect the employee and lock him or her out of the company network.
Obvious question: what about the personal stuff the employee stores in Keeper? Not a problem Guccione said, because Keeper is so nuanced the employee only loses access to company information, not personal information. When the employee has been disconnected or otherwise dropped from the company network, the next sync removes all company related information, leaving the personal information behind.
I had one other question: how long does it take to set this up? Answer: about an hour for 1000 employees.
Keeper was built to be mobile first, and is working backward. The mobile experience is fantastic, but it also has a browser extension for Chrome, Internet Explorer, Safari and FireFox. It’s platform agnostic so it syncs with your device of choice. It’s search function is pretty nifty, and simplifies trying to find something if you have a number of records. It comes with unlimited storage, and has tiered pricing structure:
- $9.99/yr for a single user, one device, includes full backup and protection.
- $29.99/yr for a single user with multiple devices, includes full backup and protection.
- $59.99/yr for a group, multiple devices, includes full backup and protection.
I’m still awed it takes about an hour to get 1000 employees up and running on Keeper.