Are password managers safe?
What is a password manager?
Perhaps more specifically, it is a computer program and/or cloud service that stores and manages a user’s or company’s secrets. As well as storage a password manager may generate strong random passwords, check passwords against breach databases, and synchronise across devices using their own clouds. Password managers can also store the databases offline or using third-party cloud storage.
Lastpass 2022 breach
On the 22nd of December 2022, LastPass disclosed that:
“an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.”
Notice of Recent Security Incident - The LastPass Blog
This was on the back of a disclosure in August 2022 where a threat actor had accessed a cloud storage account belonging to the company where they claim vaults were not accessed.
Zero Knowledge architecture
The expression “Zero-knowledge architecture” (ZKA) is frequently used by password manager vendors and other software vendors to describe their products.
It is a design approach intended to solve the problem of trusting the server and the transmission environment.
ZKA guarantees that no keys or any other sensitive material ever gets transferred in an unencrypted or reversible form. Encryption is performed client-side and requires the full trust of the device the encryption is being performed on.
The issue with the LastPass breach is that it transpires that not all of the data in the vault was fully encrypted in a non-reversible way. This potentially allows an attacker to see this metadata and gain further knowledge about their target. In some cases where a secret appears in those fields for whatever reason, that secret is, well, not secret anymore.
What should have been the case here is a bit similar to losing a device with full-disk encryption (FDE). It should have been a very annoying episode, but without the keys every single piece of data remains a secret.
Kerckhoffs's principle, Shannon's maxim and security by obscurity
Of Auguste Kerckhoff’s 6 rules of cryptography, the second rule is still very much applicable today.
It should not require secrecy, and it should not be a problem if it falls into enemy hands;
Security by obscurity relies on keeping the design and implementation of a system secret in order to protect the secrets it contains.
What do I do if I/my company use LastPass?
If your master password for LastPass is weak or reused then you need to change it now. This will not stop a stolen vault from being cracked but will at least protect the current version from being accessed using a bad password.
A weak master password will make a stolen vault easier to crack by either brute force or credential stuffing. Remember that even if using multifactor authentication (MFA) this will not protect against an offline brute force attack.
For an abundance of caution, LastPass users with anything other than a very strong and long master password should consider changing the passwords for all accounts in the vault. While you are at it turn on MFA for accounts that do not already have it. MFA will protect you here as the login attempts for these accounts are conducted online and therefore the secondary factor is evaluated.
Furthermore, crucially, not all data in the vault was encrypted. This means that some data and metadata are accessible by an attacker. This opens up other attack vectors for those threat actors
LastPass’s form here hasn’t been great and frankly, there are better options on the market.
Alternatives
1Password - 1Password - Password Manager for Families, Businesses, Teams
Bitwarden - Bitwarden Open Source Password Manager | Bitwarden
Keepass - KeePass Password Safe
A Password Book:
If we recall that security by obscurity doesn’t really work then for many people writing a password down is a perfectly acceptable way to do things - if your threat model allows it. For most people, their threat model will allow the storage of secrets on paper as their primary concern will be remote attacks, not localised ones.
You can get a handy password book from Amazon.
Multifactor
Use multifactor wherever it is allowed, broadly from ‘best’ to ‘worst’
Hardware tokens like Yubikeys are considered the ‘best’
Biometric second factors like a fingerprint, face, iris, and voice recognition.
Authenticator apps without push notifications
Authenticator apps with push notifications
SMS/voice call
Conclusion
Yes, they are safe. Well-architected password managers are safe whether you choose to host them offline or synchronise via the cloud.
They must be transparent about zero-knowledge architecture and you must use a strong master password, generate a strong master password and use a multifactor for everything.
Weak and reused passwords are the enemy.
Key points
Still use a password manager (or book)
Never, ever, re-use passwords
Generate random, unique passwords of at the very least 16 characters
Use the best multifactor you can for every account - especially email, social media, federated, OAuth etc.
Use a very long master password for password managers
Use a multifactor passwordless sign-on method if available