LastPass, the password manager that lets you manage your passwords between different devices, was recently hacked. From this there has been a fair amount of FUD circulating and not enough rational thought. With that in mind, this seems like a good time to talk about password security and LastPass with some rational ideas. Since we can't get rid of passwords just yet we need to manage them well.
1. LastPass Detected The Breach
No useful system is impenetrable. Computers not connected to the Internet, that don't even have a network card, have been hacked across an air gap using their speakers and mic. The most up to date systems still suffer from zero-day exploits.
Two of the elements of an organization that takes security seriously are keeping certain pieces of data separate and detecting when a breach occurs. From the LastPass announcement of the breach we can see these two things in action. While some information was obtained the actual vaults of passwords were not downloaded. And, they detected there was a problem and enough monitoring in place to distinguish what was effected.
I can't overstate how nice that is to hear. Many organizations won't detect if they have been breached. Even many of those that could detect a breach wouldn't be able to tell you what was affected. That's right, many of the places you put personal information couldn't do what LastPass did.
2. LastPass Responded To The Breach
Even though the password vaults were not taken LastPass is having everyone change their vault password. They detected the problem and are going the extra mile to protect their users.
Now, let's consider an alternative option. Consider a 1Password or KeePass user who stores their information in Dropbox or a similar service. A malicious program on one of their systems could have taken their vault and sent it to an attacker. Those users would not have known. Or, the service could have been hacked but since it's not password specific who would have suggested changing the master password?
I'm not trying to defend LastPass. It's a matter of considering the alternatives and the security measures around them. Is a 1Password or KeePass alternative setup actually more secure in practice?
3. Different Passwords For Different Sites
There's a good reason to have a different password or passphrase for different sites. You can't trust that a site you submit it to will store it securely so that it won't be misused to access other sites.
With all the sites we connect to we it's difficult to remember a different password for each site. Congratulations if you can do that. For the rest of us we need a system to help.
This is where a password manager is useful. That is, until we can stop using passwords for something better. So, use a password manager if you can't otherwise have a different password for each site. It's more secure than using the same password everywhere.
Note, I'm not recommending a particular password manager on purpose. Use a good one.
4. Security Is Not About Perfection
There is no such thing as perfect security. Security needs to be practical. For example, for most people it's more security to use a password manager than to use the same password everywhere. Neither is perfect but when you weigh the differences the password manager comes out as more secure.
In a distributed device world where we need passwords on more than one system it's good to go with a system that does this for you. A system that focuses on security and handling issues that come up. You could roll your own solution. But, will it be more secure? For most people the professional solution is the more secure one.
When considering password security choose the one that's more secure for you rather than seeking the perfect option.
5. When Not To Use A Password Manager
There are some places I would recommend not using a password manager. For example, I would recommend not using one for your financial sites. Those few places that are very important use a passphrase.
6. Encrypt Your Password Store
In our multi-device world you'll likely need to share your password datastore between devices. And, any device can be hacked even if you don't need to use multiple devices. Imagine a virus on a computer looking for your password excel file and uploading that to someone bad. It happens.
Use an encrypted datastore. This is why password managers are important. They are designed to store your data in an encrypted manner. This way, if someone gets your data store they will have a very hard time reading it. Before they can get to anything they'll need to break the encryption which isn't so easy.
That means, even if an attacker had gotten the password vaults from LastPass, which they didn't, they would not have been able to read the data in them.
7. Limit Your Attack Vector
One of the problems with LastPass is that they are a known password manager. That makes them a target if someone wants to try and get passwords.
Alternatives that store their distributed information in general purpose systems pose a different attack vector. For example, if you use 1Password or KeePass and store your information in Dropbox you can still be hacked. Dropbox has been externally hacked in the past and other applications can access your Dropbox folder.
Using alternatives to LastPass doesn't mean you won't be attacked. Take a few minutes and consider the attack vectors of the different solutions you're considering and how each of those will detect a breach and respond to that.
For example, I could self host my encrypted file on the Internet somewhere. This would be managed by me and wouldn't be a known system for someone to target. But, the IPv4 addresses are regularly checked for known vulnerabilities so attackers and get onto a system a poke around. That is the entire IPv4 space, which is still the only space routable for all things, is regular checked. Will I keep everything on that system up to date? Will I detect if someone broke into the system? Will I respond appropriately? All of this needs to be taken into account.
Final Thoughts On LastPass
I'm not trying to defend LastPass. I'm trying to give a little more of a holistic picture of security. It's complicated and any alternatives to a LastPass or LastPass-like solutions need to have their security considered. Viewing the options with security and attacks in mind keeps everything in perspective.