Have you heard of online companies using the new security buzz phrase "Zero-Knowledge"? Do you know what it means? We will discuss what it is and why it's important, but you may be surprised to learn that it is fancy talk for passing the buck.
Over the Christmas holidays, Apple Insider reported that LastPass was warning some users that their master password might be compromised. According to the article, LastPass claims they use Zero-Knowledge and therefore the threat must have come from a third party as a result of users reusing their master password with other companies. A.K.A., passing the buck. However, the article also reports users claiming they saw new unauthorized login attempts with each master password reset which leaves this situation in an interesting conundrum.
We do not want to get into details of that specific situation, as we support anyone trying to remove the frustration of passwords, but rather focus on the misconception that Zero-Knowledge means secure. This is not true.
What is Zero-Knowledge?
Zero-Knowledge, or Zero-Knowledge Encryption, is generally understood to mean the company or service provider storing your data does not have access to your data but only you do. This is misleading. Of course they have access to your data. It is on their servers. What they mean is they cannot decrypt your data but only you can with your encryption key, which is typically a password. We would argue this is a very important distinction.
Why is Zero-Knowledge important?
A company implementing Zero-Knowledge reduces the risk that someone inside their company could maliciously steal unencrypted data stored on their servers. This is good. This should be the default.
Zero-Knowledge also reduces but does not eliminate, the risk of a company accidentally leaking your sensitive data onto the internet due to honest human error. This is good too.
So what is the problem?
The problem is not Zero-Knowledge exactly, but that it is being trumpeted as the next level of online security when really it is just online companies trying to wash their hands of any threat to your stored data. Your data is still stored online, connected, to be conveniently accessed by you and anyone else who can figure out how. Your data will always be at risk.
Zero-Knowledge gives service providers deniability when a leak does happen that the leak did not come from inside their company. It is more about them than you the user.
So is Stash Zero-Knowledge?
Yes AND zero access! Stash does not have any servers so we do not store anyone's data, but we help users store their own data on their own devices.
What makes Stash different from other companies is where your data is stored. We believe the only way to truly protect your data is for you to control where it is stored, so we flip the online storage model on its head and claim that the data stored is actually more important than the key. If someone cannot access your data then it is not at risk, regardless of what happens to the key.
The benefit of cloud storage and its convenience is undeniable, but be careful what you store online as it will always be at risk.