2

Which is better, when you have choices between 2 competing products:

  • First one, which has never been publicly reported about being hacked or having security holes

or

  • Second one, which has had bad days in the past, and was hacked (critical leakage) 1-2 times in recent years (which has been then fixed).

The argument which comes to my mind is to lean toward the 2nd choice. The 1st product developers could become loyal, used to think that their product is not vulnerable and don't much care about that, while the 2nd product's developers & management should definitely be worrying & working hard (if they are competent) on security details and development, to raise their reputation.

What is the stronger argument toward any of them?

EDIT: (To say in details, both are top password managers - both are used by millions of people).

T.Todua
  • 2,727
  • 4
  • 21
  • 30
  • 1
    Two points: a) No, the employees of a hacked big company are not working harder etc. In a average corporate setting, the relevant employees wait until management gives them time/money/directions etc. for improving security, and the relevant manager doesn't because he has no idea what they need. Bottom line is that on the long term nothing improves. – deviantfan Oct 14 '18 at 13:05
  • 2
    b) A big factor is the reason for being hacked. I'd rather go to someone not noticing the NSA broke in, rather to someone who noticed a grade schooler used an SQL injection to delete all data. – deviantfan Oct 14 '18 at 13:05
  • @deviantfan why not you convert these comment into post ? as its nice answer, i will definitely upvote. – T.Todua Oct 14 '18 at 13:13
  • 1
    I don't think that these information provide sufficient information to decide which product to prefer. A product might not be ever hacked since it is not worth (i.e. nobody uses it) but also because it was designed with security and robustness in mind everywhere. A product might be hacked because the companies/developers don't care and/or have no idea what they are doing or it might be hacked because it is heavily used in important places so an attacker puts lots of effort into hacking it. I therefore propose to close the question as too broad or since answers will be primarily opinion based. – Steffen Ullrich Oct 14 '18 at 14:21
  • @SteffenUllrich Dear steffen, i have clearly stated two competitor programs on market, very serious security software, millions of people using. I didn't want to name them in question (actually i speak about LastPass and 1password), so i think it's not too broad question, instead i wished some reasonable advises. thanks. – T.Todua Oct 14 '18 at 19:34
  • 1
    @T.Todua: while you have specified that these are two competing products this does not mean that any of these has a significant market share (one can also be a newcomer). You did not say anything from both having millions of users. You did not even say that this is a question with real products in mind. – Steffen Ullrich Oct 14 '18 at 19:37
  • @SteffenUllrich thanks so i've updated the question :) – T.Todua Oct 14 '18 at 19:38
  • 1
    IMHO, beside the breach context, damage control and aftermath is equally important. Trustworthiness is ironically somewhat subjective to human perspective. There is no way to measure whether a previous hacked services is safer as there is always new exploit in the wild. So it is depends on human perspective of how much you willing to trust the services(and take you own risk measurement) with own justification on trade off (e.g. due to conveniences of services). – mootmoot Oct 15 '18 at 08:58
  • @mootmoot you'd better have posted that as answer, i will upvote. – T.Todua Oct 15 '18 at 09:05

4 Answers4

4

It is safer to trust the product that has been tested thoroughly and has had weaknesses fixed. Many times, a successful hack can act as a form of robust test.

But being hacked does not equate to being safer unless the underlying problem has been fixed.

A product that has not been tested, and hence, has not been fixed, provides a false sense of security in that the product has "never had a problem". That's why penetration tests, audits, bug bounties, and public disclosures are useful.

But being hacked, or tested, means nothing without proper fixes to the underlying weaknesses. Adobe Flash has been fixed countless times, but it never become more secure because the underlying problems were never properly addressed.

RSA encryption has never been hacked, but has been tested thoroughly. One should not trust the encryption algorithm that has been hacked in the past.

It's not about the hacks, but about how it was fixed.

schroeder
  • 129,372
  • 55
  • 299
  • 340
2

As Steffen said in a comment, there is really too little information in the question to make any reliable judgement whatsoever. There are many factors each of which has a significant impact on the overall security of a product:

  • How important security was in the design of the product.
  • How much effort went into testing the security of the product.
  • How good the product developers were in designing and testing for security.
  • How many people use the product. (Hackers target widely used products for greater impact.)
  • How many important people use the product. (Hackers also target products that important people use.)
  • How well is the product known. (Hackers cannot hack products that they do not know about...)
  • How quickly the developers patch known security vulnerabilities.
  • ...

Furthermore, past history is statistically a good indicator of future behaviour. A company that is well-known for pushing product releases even with known bugs is a much worse option than a company that is well-known for fixing all known bugs before releasing. One should not expect a company that has a regular history of egregious security bugs in their software to suddenly have a reduced rate of such bugs.

user21820
  • 623
  • 1
  • 6
  • 13
  • thanks, i wished i could accept two answers at the same time.

    btw, i spoke about LastPass and 1password to say in details.

     – T.Todua Oct 14 '18 at 19:36
  • @T.Todua: Ah okay. Yes in the future try not to change the question too much, so that it is not a moving goalpost. In this case, it's good that you have narrowed the question down to two particular pieces of software, in which case people who have the technical expertise to analyze them are whom you should be asking. I say this because security vulnerabilities fall across a very wide spectrum, so even counting past 'critical' vulnerabilities will probably not provide an accurate assessment of how poor its security is. – user21820 Oct 15 '18 at 03:47
  • @T.Todua: In your case, both are attractive targets to hackers, so I think the main factors you should be looking at are the first three in my list, which are of course not that easy to assess without technical expertise and extensive research. That said, if you are forced to choose without further research, I would think that the one without known vulnerabilities so far is likely to be a more secure option, since both lastpass and 1password have been around for about a decade and are both widely used. – user21820 Oct 15 '18 at 03:53
1

Initially I considered the question to be not answerable, since all what was known about these products was that vulnerabilities were found (and fixed) in the second product but not in the first one. The OP now provided more information which changed the question significantly (bad idea since answers exist already, anyway...).

It is now clear that these are two password managers where each has a significant user base. Potentiell attackers will likely see both as very attractive targets. And similar security researchers will try to find and publish vulnerabilities since finding vulnerabilities in such a critical software increases their status as capable researchers. Also, both products have bug bounties to encourage such research.

One can thus assume that both products get lots of outside analysis. I find it unlikely that one of these products gets significantly more outside analysis than the other one. Based on this I would argue that the software with no known vulnerabilities so far might have been created with a more secure design from start and that the managers and developers of this product took security more seriously in the past than the managers and developers of the other product.

It might of course be that the second product now has achieved a similar quality but I don't think that it surpassed the first one. Especially I don't share the argument of the OP that the developers of the first product might not care that much anymore since they never had issues - since there are many outsiders interested in finding vulnerabilities any vulnerabilities slipped in because of such laziness would likely be found quickly.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
0

Unfortunately, unlike the black and white of mathematics, you are talking about trustworthiness, which is subject to human perspective, which is more towards human psychology heuristic.

One cannot measure how a hacked service will lead to better security as new security flaws or zero-days will occur from time to time.

So all will dwindle down to how you think about the trustworthiness of the product or service. Whether you like it or not, the branding of the product or service will affect how the user justifies whether they will continue to use the product. The better the overall branding of the product or services, the better chance it will retain the customer trust compared to an unknown brand.

This is the similar mentality to the popularity of a fast-food franchise in a tourist attraction area: if you never read restaurant reviews, you are going to go to the nearest fast-food place than a tourist restaurant that may or may not rip you off, or served something that will give you a stomach ache.

So for security products, it makes sense for users to think what the popular brand has a lot to lost compare to a no-name brand that "never being hacked". Indeed, it is an average good decision.

schroeder
  • 129,372
  • 55
  • 299
  • 340
mootmoot
  • 2,407
  • 11
  • 16