7 Security Tips Any Small Business Can Master

by , on

Security Tips

Small businesses are the backbone of the American economy. Unfortunately, they’re also one of the worst cybersecurity risks. Small businesses were the target of 43% of cyberattacks in 2015, up from 18% four years earlier. Many small business owners aren’t computer-savvy and can’t afford the time and expense to hire security professionals, but you don’t have to be a techie to take the following measures, many of which can be implemented by trusted employees, freelancers or even a savvy high school student. They’ll prevent the vast majority of breaches.

  1. Teach Good Password Security Practices

Weak passwords are the most common cause of cyber breaches, and it’s such a simple problem to cure. One technique is to train employees to use mnemonics, such as the first letter of a memorable phrase, combined with some simple letter substitution (“Chicago Cubs Win the World Series at Last!” becomes “CCWtVVS@L!”). Ask employees to change their passwords about every six months. Too-frequent changes can actually encourage people to take shortcuts that increase risk.

A password manager is a great tool for encouraging good password security, since it creates highly secure passwords on demand and stores them so people don’t have to remember anything other than the password for the manager itself. Another effective technique is two-factor authentication (2FA), which backs up a password with a second medium like a texted code or fingerprint. 2FA takes a little more knowledge to set up, but any experienced system administrator will know how.

  1. Buckle Down on Permissions

When setting up a server for a small business, it’s tempting to bypass file- and folder-level security under the assumption that you know and trust everyone in the business. But even if your employees are Boy and Girls Scouts, any hacker who breaches their accounts can run away with your sensitive data. It’s also easy for honest users to mistakenly download or attach privileged information to emails or social media posts.

For your own servers, set all permissions on a “need to know” basis. Use role-based group settings to minimize exceptions. That means senior executives gets one level of access, while accounting clerks get another. After all, there’s no need for all your people to have access to financial documents. Making changes at the group level makes administration simpler and more secure.

  1. Secure Wi-Fi Access Points

Setting up a Wi-Fi access point is so simple that it’s easy to forget that it can create gaping holes in your network if not secured properly. Fortunately, adding good security is pretty easy. Most equipment makers give you several security options when setting up their equipment. WPA2-PSK (AES) is considered the best. Choose strong passwords, just as you would with your own login practices, and don’t post passwords in a public place. It’s also a good idea to avoid broadcasting the access point’s name – also called the SSID. Instead, share the name only with people who need to use it.

  1. Teach People About Phishing

Ransomware, which is the fastest-growing form of malware, is spread primarily through phishing attacks, in which users are fooled into clicking on malicious links or attachments that are disguised to look legitimate. The rules for preventing these attacks are simple: Never click on a link unless you are absolutely sure who of where it came from. Teach people how to check for the email address in the “sender” field. Remember that it’s easy to spoof the name of the sender, but you can’t change the email address. If the email doesn’t come from @paypal.com, it isn’t from PayPal.

  1. Backup to the Cloud

Speaking of ransomware, the most effective antidote to that scourge is frequent backups so you can recover information even after your storage media has been encrypted. Many commercial services offer continual backups at a modest cost, so that you’ll never lose more than a few minutes’ worth of data. They’re easy to install and well worth the price.

  1. Consider Virtual Desktop Infrastructure (VDI)

If you want to bypass the risk of viruses or phishing attacks entirely, consider this technology, which stores desktops remotely on a server and downloads them when users log on. VDI used to have the reputation of being slow and inflexible, but today’s technology makes the user experience almost indistinguishable from that of a local desktop. Among the advantages are that updates can be pushed to everyone simultaneously and users can’t save or launch applications on their virtual desktops without permission. This gives IT administrators added control and peace of mind.

  1. Use virtual private networks (VPNs) for remote access

A lot of small businesses employ people in remote locations or hire contractors to enhance flexibility and cut down on cost. Or they may simply permit their employees to connect from home or a coffee shop via their laptops or smart phones. But did you know that most public Wi-Fi services don’t offer any protection over the data that traverses them? The best way to protect yourself is to use a VPN that establishes encrypted remote connections so sensitive data is never at risk. Many commercial services are now available at modest cost, with easy setup.

That wasn’t so difficult, right? Keep in mind that one of the advantages of being a small business is that attackers are mainly focused on the big fish. That doesn’t mean you should be complacent, but if you follow these seven tips, your likelihood of being compromised is very low.

Are IT Professionals Turning a Blind Eye to Password Security?

by , on

blind eye password security

If you are an IT leader, particularly in a mid-sized or small organization, here are some mission-critical data security questions for you to consider.

  • When was the last time you voluntarily submitted to having a security audit focusing on password use in your organization?
  • Have you submitted to a third-party penetration test to assess, among other things, how vulnerable are the passwords currently in use in your organization?
  • How would you rate your visibility into the relative password strengths used by company employees?
  • Have you documented and enforced a formal password policy regarding items such as password complexity and expiration?
  • Does your group lead formal password education seminars for all employees?
  • Have you added additional factors to authenticate users?

If after reading these questions you are shuffling your feet beneath the desk when answering ‘no’ or ‘somewhat’ to these questions, the good news is you aren’t alone. The bad news is that there is a lot you should be doing but are not doing to combat a huge source of data leaks, data theft, and data compromise. In other words, you are turning a blind eye to potentially very costly issues, and blame for such will rightly be cast upon you.

Survey says: Weak passwords far too common

Consider the results of a recent major study that found nearly one in five enterprise users use very weak passwords, or share passwords, making their use ‘easily compromised’ according to survey authors. Businesses with higher than average percentages of compromised passwords also had a higher than average percentage of shared passwords.

Survey authors went a step further, investigating how much time it would take to compromise a password using widely available off-the-shelf cracking hardware/software. For low complexity passwords – those that are enforced only for overall length – most passwords could be compromised in less than one day. Medium complexity passwords – those enforced for length and some measure of complexity such as capitalization or using a digit as the last character – compromise took a week or less. And for high complexity passwords – which amp up the requirement for special characters along with capitalization – cracking could take upwards of a month.

These and other aspects of the survey findings, coupled with widely reported data of the use of compromised passwords to steal sensitive information, should be ample reason for users to adopt optimal password hygiene practices. But the data also shows they simply don’t, for convenience if nothing else. As one blogger and data scientist sees it, perhaps one percent of business users really cares or is aware that passwords are based often on patterns and these patterns can be tracked and broken in too many cases.

The torch is passed to IT leaders

Thus the onus is clearly upon IT leadership to plug this potentially yawning gap in data security. And there is plenty these leaders can and should be doing to pre-empt the pending disasters awaiting businesses that permit the use of weak passwords.

For starters, it almost goes without saying that consideration of a rock-solid password management solution is job 1. There are several available but no two are created equal. Look for a solution that allows your users to quickly and easily create super high-strength, random passwords without having to actually remember them, while giving administrators the ability to enforce password policies and monitor compliance with the policies you set.

What the better of these systems offer is visibility for IT into all passwords in use. After all, as one major password study found, nearly six in 10 SMBs have no visibility into employees’ password practices. What’s worse, in typical SMBs today, 60% of employees use the same password for everything – and they’re often not strong passwords either.

Next, the importance of ongoing education by IT leaders of all business users cannot be overstated. Education is a pathway to empowerment, and in this regard educating users about password hygiene can make each user better understand his or her important role in protecting data and the organization as well. You don’t necessarily need to conduct password-only education. Just be sure when hosting security training sessions online or live that password security is prominently featured.

By now it should almost be a requirement that multi-factor authentication becomes a business standard. The better password management solutions make it easy to deploy multi-factor authentication, the use of which can dramatically reduce the incidence of compromised passwords. Remember you don’t necessarily need to make things totally bullet-proof to keep hackers and cyber criminals away. Just make it hard enough for them to not want to spend extra time to break in.

Conclusion

We’ve written before that password management is more than an IT problem and it is, namely a problem for senior non-IT execs and for business users. But in the scheme of things, particularly in mid-sized and smaller organizations, IT leadership can and should be the biggest and most effective role to protect sensitive data by insuring bullet-proof passwords are the norm, not the exception.

Introducing Keeper’s Emergency Access Feature

by , on

emergency access

Charlotte Gibb remembers the panic that set in when she realized that the death of an employee could also inflict severe damage on her business.

The employee was the operations manager at AutoClerk Inc., a developer of property management software for the hospitality industry where Gibb is executive vice president. “It was shocking. He told us about his lung cancer on Monday and died on Saturday,” Gibb remembers.

The event was a tragedy for the small, closely knit company, but there were business consequences as well. The employee also took with him the password to his Keeper account, where he stored a variety of secure information and logins to services containing company-critical data. “We never had a secure transition plan because we never talked about it,” Gibb said.

If Keeper’s Emergency Access feature had been available at the time, they wouldn’t have needed one. Announced last week, the feature gives up to five trusted family members or friends access to a Keeper user’s secure vault in case of an emergency or tragic event.

Anyone with a Keeper password manager account can use the new feature to add or remove people from Emergency Access, as well as to change the waiting period for access to the vault. The process ensures the highest level of security because, in the spirit of Keeper’s “zero-knowledge” approach to customer security, encryption keys are never shared with Keeper Security or anyone else.

Zero-knowledge is what sent Charlotte Gibb scrambling when her operations manager passed away. She called Keeper tech support but they could offer no help because they were unable to decrypt the operations manager’s passwords. Gibb was fortunate to have access to the man’s email account, which she used to generate a password reset. However, Keeper’s multi-layer security procedures require several security questions to be answered to complete that process. Gibb was eventually able to figure out the answers by calling the man’s partner, but it’s a call she would have rather avoided.

No one likes to think about emergencies or untimely passing, but tragedy rarely strikes when convenient. With Emergency Access, Keeper users can now make their own backup plans without awkwardness or complex procedures. Think of it as accident insurance for your critical data.

Q&A with Keeper’s CTO: What’s New In The Data Threat Environment

by , on

Keeper Q&A with Craig lurey

Keeper co-founder and CTO on the cold hard facts of data security today.

Craig Lurey is co-founder and chief technology officer at Keeper Security. It’s his job to insure that Keeper’s solutions stay a step ahead of the dangers in today’s hyper-dynamic threat environment. Here’s his take on just what is changing, and how Keeper intends to change as well.

Q: What is changing most profoundly in the threat environment?

A: The use of cloud-based services continues to grow dramatically, whether we know we are using them or not. For individuals it’s not just email, for example, but there is the IoT with things like Nest controllers, cars with hundreds of on-board computers, new AI services like Google Home and Amazon Echo – all interconnected and accessed by everyday devices. That makes all these devices targets, and the personal information on them vulnerable to attack.

Q: What about the traditional threats, like malware and viruses?

A: Malware, ransomware and viruses will continue as major threats for the near term. But as services move increasingly to the cloud, big firms like Google, Apple and Microsoft and the thousands of skilled security professionals they employ are doing a much better job of identifying and stopping such threats.

Q: How do the attackers burnish and refresh their skills in this changing world?

A: It’s actually quite interesting. Today there are researchers and students in universities and think tanks being trained in cyber security, identifying changing threat vectors. Then they publish their findings and initiate discussions and online chats to embellish their knowledge. Problem is, the hackers and bad guys are also there, getting all the latest information on the latest threats and weaknesses in defenses! And there are plenty of weaknesses.

Q: What is it about cloud services that can be risky?

A: Remember that cloud services are all about software, and all software – it doesn’t matter who wrote it – has bugs. These bugs have the potential to become vulnerabilities. With many cloud services, who knows what measures were taken in the development process to insure security? Who even asks? Consider Cloudflare, which powers some five and a half million websites. It recently disclosed that a software bug gave hackers the ability to access sensitive data in real-time, including passwords, cookies and tokens to authenticate users. Most likely users of cloud services powered by Cloudflare never even heard of the company but nonetheless could have been victimized by the vulnerability presented by the software bug.

Q: What do these many changes in the threat environment mean for passwords and their management?

A: It is more critical than ever before for individuals as well as businesses to focus on the password. For example when it comes to exploiting weaknesses in cloud services, hackers choose the paths of least resistance. For the most part they aren’t going to sit there and try to decrypt SSL traffic. The easiest attack vector for them is the password. They know individuals use the same ones over and over for different services. So they will attack through some random shopping site, for example, and use various widely available tools to break simple passwords. They aren’t going to target Facebook or Google.

Q: What do businesses need in this regard?

A: They need visibility into password usage throughout their organization. They need to know how individuals are managing passwords, if they are being managed at all. Are they being rotated? Where are they controlled? It all comes down to the same issue, and it is access and who has access.

Q: What is Keeper doing to stay ahead of this dynamic threat environment?

A: We go to extreme lengths to protect our customer’s data, so much so that we don’t have access to it. We are a true zero knowledge product. That means we don’t access or decrypt anyone’s data. So if a hacker happened to get the data stored in a Keeper vault, it would be useless. A zero knowledge environment is the extreme end of data protection. Any encryption or decryption is done solely by the users on their own devices. We are after all protecting our customer’s single most valuable piece of information, namely their passwords.

Q: Without giving away secrets, what can customers expect in the future from Keeper?

A: We are building out a series of products that protect users’ data and their identity, and we’ll be doing that not just with passwords but with other kinds of information as well. In essence we are going to bring our zero knowledge architecture to other product platforms.

Q: Anything else?

A: Yes. The field of DevOps is very rapidly emerging, creating a new category of engineers that not only develop software but also then deploy and manage it through its lifecycle. Our customers will see a migration from pure password management to more privileged access where we still manage the password but also the access to DevOps processes as well. In DevOps the engineers deal with all sorts of functions like access to systems, servers, and cloud services as well as to physical devices. So while we at Keeper are building out and improving upon solutions for business users in marketing, sales, HR and so on, we’ll also focus more in IT teams who are often inundated with securing all these access points. Today there are simply no great solutions out there for them.

Q: Has the near total blurring of the lines between personal and business use of many devices presented particular challenges for organizations, and for Keeper for that matter?

A: Users just expect to intermingle personal and business use, especially on their own devices but even those provided by the employer. We encourage our business users to deploy the Keeper data vault to their business users under a business account. But we strongly advocate for using a separate personal vault on the same device for all personal data. We made multi-account switching really easy and completely seamless. So the business has control only over the business data in the business vault. The individual has complete control over what’s in the personal vault.

Why Keeper Supports the FIDO Alliance

by , on

Why Keeper Supports the FIDO Alliance
IT security experts will tell you that 80% to 90% of breaches could be prevented if organizations enforced stronger password controls. But IT administrators will tell you that convincing people to use strong passwords is a lost cause. No matter how much you educate, cajole and frighten them, a frustratingly large number of people will still safeguard their critical information with “123456.”

That’s why Keeper has joined the FIDO (Fast IDentity Online) Alliance. The FIDO Alliance is working to create technical specifications for an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords. It’s trying to bridge a seemingly contradictory set of objectives. “FIDO is strengthening the authentication process while at the same time making it easier to users,” said Andrew Shikiar, senior director of marketing at the Alliance. “Our goal is to make it easier for enterprises and service providers to move beyond the password.”

FIDO has a unique approach to authentication that uses public key cryptography to create secure authentication credentials that are stored on and never leave the user’s device. Local authentication is important because it both protects user privacy and reduces reliance on passwords stored on third-party servers, which creates an additional vulnerability point. The FIDO Alliance’s approach is in line philosophically with Keeper’s zero-knowledge architecture.

The use of centralized password databases has been behind the damage of some of the world’s largest security breaches. For example, the two attacks on Yahoo collectively exposed more than one billion user accounts to compromise. Cyber criminals can purchase these lists and use them for “credential stuffing,” or testing the login information on other websites. “The success rate for credential stuffing is as high as two percent, which is staggeringly large,” Shikiar said. “FIDO’s approach to strong authentication can take this threat vector away entirely.”

If two percent doesn’t sound like a lot, consider that running one million usernames and passwords through the authentication process of a bank or stock-trading site at a two-percent success rate translates into 20,000 successful accesses.

The FIDO Alliance is promoting two sets of specifications: Universal Authentication Framework (UAF) and Universal Second Factor (U2F). UAF is most typically implemented in mobile apps. No passwords are involved. Users register their device to an online service by selecting a local authentication mechanism such as a fingerprint, PIN or face/voice recognition, at the service provider’s discretion. From there, users simply repeat the local authentication action whenever they log in.

U2F uses a password complemented by a second factor through a FIDO Security Key such as a USB token — proving that the user is in possession of their device. The use of a second factor enables the service to simplify passwords without compromising security.

The FIDO Client-to-Authenticator Protocol, which is currently in review, provides for the use of smartphones or even wearables as a primary authentication device. Coupled with W3C’s Web Authentication efforts (which will bring native FIDO support to leading web browsers), CTAP will expand FIDO’s reach to a much larger number of users as part of the FIDO 2 project.

In the five years of its existence, the FIDO Alliance has rung up a lot of successes, enlisting more than 250 members ranging from IT organizations to mobile app developers, government organizations, platform providers and financial institutions. Facebook rolled out FIDO authentication in January, extending it to 1.7 billion additional users. Google has been a member since 2014.

Keeper believes in the value of standards as a way to continually move the industry forward. The more organizations that sign on to the FIDO Alliance, the faster the industry can solve the password problem and tackle the next set of challenges. We are proud to be part of that effort.

Keeper Announces Microsoft Edge Extension

by , on

Keeper announces Microsoft Edge Extension
LOOK WHAT’S NEW
Hey Windows 10 customers! You’ll be happy to hear that Keeper now has a Microsoft Edge extension. This latest extension will provide you fast and secure access to the Keeper vault right within your browser.

HOW IT WORKS
Now you will be able to utilize Microsoft Edge to quickly and securely login to your favorite online destinations. The extension and Keeper icons appear on the screen as you browse to manage logins, enter passwords and secure your data. The new design also allows the utilization of KeeperFill™ to autofill passwords without navigating away from the current page.

We are so excited to provide millions of Windows 10 users a simple way to manage their passwords from the browser of their choice. The Keeper and Microsoft teams have worked closely together to deliver a “native” feel to the browser that integrates perfectly with your browsing experience.

Microsoft Edge is the faster, safer browser designed for Windows 10. Not only will this latest Keeper extension make your devices and online activity more secure but will also save you time.

WHERE TO GET IT
To download the extension, please visit https://www.microsoft.com/en-us/store/p/keeper-password-manager-digital-vault/9n0mnnslfz1t#.

We look forward to delivering more awesome updates for Windows 10 users in the future. Thank you for your support!

Why Google chose to pre-integrate Keeper SSO Connect into G Suite

by , on

Why Google chose to pre-integrate Keeper SSO Connect into G Suite

We were thrilled last month when Google selected Keeper SSO Connect, our SAML 2.0 service, as one of just nine third-party apps to be included in the search giant’s pre-integrated SSO Apps Catalog. In an earlier post we told you why Keeper and SSO go so well together. Now we’d like to share the reasons why the Keeper solution is unique enough to earn Google’s endorsement.

Even if you’ve never heard of the term SSO (single sign-on), you’ve undoubtedly used it. Whenever you land on a login page that offers you the option of signing in with Facebook, Google, Twitter or other popular social networks as an alternative to creating an account, you’ve seen SSO at work. One example is Fitbit’s login page.

SSO is one of those rare win-win propositions that not only enhances security but also improves the user experience. When used with protocols such as Kerberos and the security assertion markup language (SAML), SSO takes care of most of the complexity of authentication and user identity management in the background.

And SSO isn’t just for public websites; it is also used extensively behind corporate firewalls. For example, companies may use it to make it easier for their employees to log in to multiple corporate accounts, such as email, financial applications, collaboration software and CRM. By deploying SSO, enterprises can greatly reduce the need for people to have to maintain passwords for each application they use. That means fewer helpdesk calls, fewer resets and less risk of compromise due to password theft. Companies can also monitor user SSO activity both to see how applications are being used and also to look for signs of compromise.

One of the most rewarding aspects of the Google endorsement is that Keeper has only been in this market for about six months. Late last year we were approached by one of our customers that wanted to use SSO internally to permit users to authenticate to their Keeper vault. We had a solution ready early in the new year, and it’s been a hit with customers.

There are two big differences between the Keeper SSO solution and most others. One is our ability to store rich information in the vault, including files, sensitive data and access credentials to restricted systems. Our shared password storage capability is useful to enterprise customers because not all applications support SSO. Keeper gives them the flexibility to keep a shared vault of passwords to non-SSO applications in a single, secure place so users can log into whatever systems they need. In another recent blog post we told you about how much some users value encrypted file storage.

The second big Keeper difference is our zero-knowledge security architecture. The customer maintains full control over encryption and decryption of their data. We have no access to the encryption keys, master passwords or records stored within the Keeper vault. This capability has become particularly important to customers in the wake of the OneLogin breach late last month. In that incident, the credentials of potentially millions of individual users were compromised because the encryption keys were kept on a central server. A breach of that kind could never happen with Keeper because we don’t store any sensitive information. That capability lies solely within the hands of the user.

With its decision to include SSO Connect in its third party apps catalog, Google is making it that much easier for customers to implement SSO and SAML. Our own integration is even more extensive. SSO Connect also works with Microsoft’s Active Directory Federation Services and Azure cloud, F5’s BIG-IP Access Policy Manager, Okta’s Identity Cloud, Centrify identity and access management solutions, OneLogin, Ping Identity and the open-source Central Authentication Service.

Latest Keeper Release Incorporates FIDO U2F Security Keys

by , on

As a part of Keeper’s core offering, FIDO U2F and YubiKey support will now be available to our individual users and enterprise accounts. With our mission to make the internet secure for everyone we are thrilled to partner with these world class companies to deliver the highest level of security to our customers. The feature is immediately available to all Keeper customers and provides the added protection and security of hardware 2FA for their critical accounts.

FIDO U2F Security Keys are small USB and NFC hardware 2FA devices that can instantly be added to secure Keeper accounts. Once a device is registered, when prompted for the second factor during login to Keeper, a user simply has to touch the device to authenticate and gain access. The YubiKey supports multiple authentication protocols and can protect access to a wide range of consumer and enterprise applications. A single YubiKey can perform authentication to FIDO U2F supported services (Facebook, Google, Dropbox, GitHub, Salesforce, etc.), password managers such as Keeper, Windows login including Windows Hello, remote access, IAM, VPN and much more. The YubiKey works on Microsoft Windows, Mac, Linux, and on major browsers without the need for extra software or drivers.

Latest Keeper Release Incorporates FIDO U2F Security Keys

Keeper will be demoing and giving away YubiKeys at the Gartner Security & Risk Management Summit, June 12-15 in National Harbor, MD. If you are attending this summit please stop by our booth at #601 to learn more.

Why Keeper and SSO Are Better Together

by , on

Why Keeper and SSO Are Better Together

SSO (Single sign-on) products provide a digital handshake which allow users to sign in to 3rd party SAML-compatible cloud services, without the need to enter a password. In addition to providing this capability, some SSO identity providers also provide a basic level of password management for websites that do not use SAML. In some cases the password management features inside SSO products are not providing a zero-knowledge solution. This is why we created Keeper SSO Connect.

Keeper SSO Connect is an encryption key management application that runs on-premise. It can be installed on a physical appliance (server) or virtual machine (VM). Keeper SSO Connect supercharges the capabilities of SSO Identity Providers with a powerful password management solution. Keeper provides full zero-knowledge encryption and storage of user-generated passwords and private information.

Keeper, as a zero-knowledge security provider, has no ability to decrypt user records, files, or data stored within the Keeper Vault.

Keeper SSO Connect is not vulnerable to the attack that recently affected OneLogin for one simple reason: the keys necessary to decrypt user records are never made available to Keeper, either through our standard Vault product or through Keeper SSO Connect.

Authorization and encryption keys are derived on the device separately from the user’s master password. Neither the master password nor the encryption key is ever transmitted or stored in Keeper’s vault or cloud storage – the encryption key and master password remains in the client’s control and possession in both Keeper’s standard products and Keeper SSO Connect.

Even if the encrypted data stored in Keeper’s vault were be obtained by a hacker or obtained by a third party, the hacker would need the user’s master password and/or encryption key to decrypt the data – and these are not stored anywhere in Keeper’s vault or databases.

Keeper SSO Connect integrates with leading SSO solutions like Azure ADFS, F5 BIG-IP APM, Okta, Ping Identity and Centrify.

Sign up for a free trial today, and check out the video below!

Keeper Users Tell Why They Love Secure File Storage

by , on

Keeper Users Tell Why They Love Secure File Storage
One of the distinctive features of the Keeper password manager is Secure File Storage, but we find many customers aren’t aware that it’s even available.

Secure File Storage gives you 10GB of space on the Family Plan and 1TB on the Business Plan to store anything you like. The files, photos and videos you keep there are protected by the same 256-bit AES encryption and optional two-factor authentication as your passwords.

People find all kinds of uses for secure file storage. J.C. Rausch, a video network engineer at Metro Systems keeps nearly 300 documents in Keeper Secure File Storage. “I store multiple documents in there ranging from car insurance and renter’s insurance to medical information and lab reports,” he told us. “I also keep important notes that I’ve written to myself. Even though I have backup on my PC, I use Keeper as an encrypted secondary backup.”

J.C. has been using Keeper for over 5 years on his desktop computer and iPhone. “I probably tried four or five different apps, and Keeper seemed to be the easiest and simplest to use. It’s never let me down,” he said.

He didn’t use secure file storage at first, opting instead for one of those internet file-sharing services. But as we’ve seen in recent headlines, even they are susceptible to hackers. “As far as I know, Keeper has never been hacked, and others have,” he said. J.C. still uses public filesharing services for non-sensitive documents, but “for anything I don’t want others to see, I use Secure File Storage,” he said. And with 10GB of storage, “I have so much space available that I plan on going through a lot of my documents and uploading them,” he added.

Happy Guadalupe doesn’t use secure file storage for documents, but he’s founded equally an useful application that relates to his job in team admin support at the Coca-Cola Company.
Happy (whose real name is Eduardo, but he’s been “Happy” as long as he can remember) first came across Keeper because he was looking for a way to get his passwords out of a paper notebook and into something more secure. “I was becoming afraid, because that book had become my life,” he said. “Keeper came along and it was love at first sight.”

Keeper has particular value for Happy at work because Coca-Cola’s security settings don’t permit employees on the internal network to save passwords on any sites they visit. “Keeper is a blessing,” he said. “I call it my second brain.”

As an admin, he frequently makes travel reservations for others, and that’s where secure photo storage comes in handy. Experts will tell you that sending personally identifiable information in email is playing with fire, but in Happy’s field of work he frequently needs to exchange credit card information with hotels and travel services. That’s why he files away photos of all his credit cards next to the card numbers in Keeper. When making a hotel reservation, “I can send the photo of the card without sending the number in text,” he said. “After I send it, I immediately delete the message.” So far, most vendors have been perfectly OK with that arrangement.

Which makes Happy, um, happy.

Keeper Secure File Storage is $9.99 per year and included in the $59.99 per year Family Plan for up to five users.