Chatting with SafetyDetectives about Password Management

Sticky Password founder Alex Tischenko sits down for an interview with SafetyDetectives.

Thank you for your time today, can you introduce yourself and talk about your current role at Sticky Password?

Hi, thanks for the opportunity for an interesting discussion with SafetyDetectives. I’m Alex Tischenko founder of Sticky Password, which I launched in 2001 at a time when there were very few solutions for the growing “problem” of passwords – and these were primarily copy-paste from a database into websites. My idea was to make it automated, easier to use and more secure. And even today, the goal remains the same. Personal information security is becoming more important and more complex these days. It is a challenge to keep it easy to use for our users.

What sets Sticky Password apart from other password management tools in the market?

Sticky Password has proven itself since pretty much the beginning of password management. Beyond the security, privacy, usefulness and convenience enjoyed by our customers, we are known for our lifetime license and for putting them in control of their data by letting them decide whether to use the cloud for backup and syncing or to take advantage of our local sync and local-only backup.

Unlike cloud solutions – which is what the majority of other products are based on – our focus is on native platform development. We do this because it minimizes the risks connected to commonly-used cross-platform frameworks and managed languages. Even so, the “Cloud” shouldn’t be looked at as a bogeyman that must be avoided at all costs. Sticky Password customers get the best of both words, and can decide where their data is stored and accessed: on our secure servers in the cloud, or only on their devices.

How does Sticky Password approach user privacy, especially in light of increasing data breach incidents?

Customers trust Sticky Password with their passwords; they trust us to ensure not only that unauthorized access doesn’t happen, but that we will respect their privacy in basic things like not revealing or selling their email addresses. It’s our job to protect their data, and we take that responsibility very seriously!

We conform to the EU General Data Protection Regulation (GDPR), and collect only the minimum personal information and, of course, we do not sell email addresses. Our privacy policy can be found here.

When it comes to customer databases – the passwords, logins, secure memos, etc stored by our customers – all data fields stored in Sticky Password databases are encrypted. Only metadata like row numbers and field names is stored in an unencrypted format. And our zero-knowledge model allows us to ensure privacy and security even in our real-time dark web monitoring service by processing data on the local device.

What are the risks of storing passwords in browsers compared to dedicated password managers?

Most people don’t consider their browser to be a security tool and so they often don’t exercise even the most basic caution when using it. While most security tools can be used out of the box (including Sticky Password), it’s important to have security and privacy at least in the back of your mind when doing things online. It goes without saying that as users of the internet, we all need strong, efficient security tools, but even when we have these tools in place, we should never just turn off our instincts, or intuition, to the threats we can be exposed to online.

Browsers, much like internet routers or firewalls, serve as a primary interface for connecting with the external digital world. This ‘frontline’ position makes them particularly vulnerable to a variety of threats. An external password manager, especially a native platform application, can be thought of as working behind the lines; as such we can look at the interaction with the browser as limited and controlled by actions of the user. This detachment between the browser and the password manager benefits from additional layers of protection that include an encrypted database, secure backup storage, and second-factor authentication. These features collectively reduce the risk of your passwords being compromised by malicious websites or injected scripts.

What steps should individuals take if they suspect their password has been compromised?

The key understanding is that the value of our personal data for hackers and online bad actors is growing! Whether it’s your name and credit card or ID info, or your logins and passwords – there are people out there who want it and who know how to benefit financially from it.

It’s also critical that individuals understand that they can take action to protect themselves: steps they take can stop threats and improve their security. In other words, with a little bit of attention and having basic security applications in place, we are not helpless against the ‘bad guys’ – and that really is good news!

Now let’s get into it. There are two broad areas of what we mean by someone having their password compromised:

• was the person notified by dark web monitoring that their login/password was included in when a service they used was hacked?
• or was there suspicious activity on the individual’s device or online account? Keep in mind that suspicious activity is anything that the person feels is out of the ordinary.

Sticky Password’s Dark Web Monitoring identifies for customers which of their login/password pairs have been found in the huge and growing volume of breach data that is being transacted on the dark web. Sticky Password lets users know which of their accounts were involved and empowers users to take action to protect themselves: typically starting with changing the password to a ‘long, strong and unique’ one generated by our random password generator, and contacting the bank or vendor that was hacked to cancel credit cards or the account itself.

When you see or suspect something suspicious, switch to another trusted device. This is simply because if your current device is compromised with a keylogger or other malicious software installed on it, trying to safely make changes on the device won’t be effective. Make changes to accounts/passwords on the other device and then work on remedying the malware on the affected device.

• If switching to another device is not possible, run a malware scan on your current device and turn on the “Anti-spy” feature in Sticky Password’s virtual keyboard to fool any keyloggers and screen recorders.
• Change the Master Password in the password manager itself. It should minimize the risks of the next steps to be compromised.
• Change the password in the system which you suspect to be compromised. Change passwords in other linked accounts, for example, if you suspect your mailbox was compromised, change passwords for all accounts where this email address is used.
• We strongly recommend to keep your eye out for any suspicious activity in your accounts, such as new device connections.

How does Sticky Password envision the future of digital identity management, and what role do passwords play in that future?

Digital identities will evolve. Slowly, back and forth, like every evolutionary process. While users tend to prefer convenient and easy-to-use systems, other factors push them to think about security, often at the cost of additional inconvenience or expenses: there’s always a trade-off.

For most of the (relatively short) history of the Internet and still today, our identities are scattered across different services. Every website has an account that holds data about our identity; protecting the data by a password and additional mechanisms. In general, the stronger the password, the better our identity is protected.

Then there was a shift: major tech companies like Microsoft and Google promoted the Single SignOn concept in which the Tech Giant is the holder of our identity data and allows us to choose which parts of this data will be available to other sites and services when we want to sign in to these other sites. We own our identity, but while our identity is stored on someone’s servers, they – the Tech Giants – can (and do!) use this data for their own benefit ( primarily targeted advertisement, training AI, etc.) This approach is popular, because it is very easy to use, but also creates many concerns because of identity ownership and privacy. Also the Tech Giants are the primary targets for hackers, which makes our identities vulnerable.

Now we are seeing a shift back – Passkeys is an emerging technology returning us to identities that are held by individual services, but better protected against phishing and compromise because of advanced technology. But even these services are still vulnerable to attacks and bad actors.

Possibly, in the future digital identities will be decentralized using a kind of blockchain technology. The passwords, passkeys, biometrics or other types of keys will be used to protect access to the identity. As individuals, we will be able to decide what data to provide and where.